Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde? Anything Else?


  • This topic is locked This topic is locked
14 replies to this topic

#1 Rob the Newbie

Rob the Newbie

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 13 April 2008 - 06:13 PM

For a couple of days, I have bee having problems accessing my Yahoo mail account; there were also some popups. I ran SpyBot and it says I have Virtumonde, but when I ask it to remove it, it freezes. The browser is also slower than usual. If anyone can help me, I would be very grateful... Here is the info from DSS:

Deckard's System Scanner v20071014.68
Run by Rob on 2008-04-13 18:56:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
37: 2008-04-13 22:57:12 UTC - RP345 - Deckard's System Scanner Restore Point
36: 2008-04-13 21:30:06 UTC - RP344 - Spybot-S&D Spyware removal
35: 2008-04-13 19:51:20 UTC - RP343 - Spybot-S&D Spyware removal
34: 2008-04-12 19:19:02 UTC - RP342 - Spybot-S&D Spyware removal
33: 2008-04-11 13:39:56 UTC - RP341 - System Checkpoint


-- First Restore Point --
1: 2008-04-10 12:19:57 UTC - RP309 - Installed Pure Networks Platform


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as Rob.exe) -------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-13 19:00:21
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bell\Security Manager\Fws.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\PharosSystems\Core\CTskMstr.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\EasyDisk UFD Tool\UfdTMon.exe
C:\Program Files\EasyDisk UFD Tool\USBTool.exe
C:\Program Files\EzButton\CplBCL50.EXE
C:\Program Files\Sony\SonicStage\SSAAD.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Bell\Security Manager\rpsupdaterr.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Documents and Settings\All Users\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.811.com/saecs.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! Canada
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/en-us/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Security Manager\pkR.dll
O2 - BHO: (no name) - {3F1023FD-EABB-4CE1-B32B-EF42C3C3D42D} - C:\WINDOWS\system32\qoMdEVpq.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: {c1af7989-f72e-b77a-d744-f02ab23c0ec5} - {5ce0c32b-a20f-447d-a77b-e27f9897fa1c} - C:\WINDOWS\system32\eqbdeqxq.dll
O2 - BHO: (no name) - {63AB48C9-01A8-495C-8194-A715DB8A37A2} - C:\WINDOWS\system32\xxyaxWMC.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [9382 UFD Monitor] C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe
O4 - HKLM\..\Run: [9382 UFD Utility] C:\Program Files\EasyDisk UFD Tool\USBTool.exe
O4 - HKLM\..\Run: [CplBCL50] C:\Program Files\EzButton\CplBCL50.EXE
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [b061e609] rundll32.exe "C:\WINDOWS\system32\pjegbptq.dll",b
O4 - HKLM\..\Run: [BMb352d595] Rundll32.exe "C:\WINDOWS\system32\aowkaorl.dll",s
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Security Manager\IdxClnR.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Security Manager\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\comz\cegmgr76.exe
O4 - Global Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://F:\content\include\XPPatchInstaller.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137773602446
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://F:\Content\include\msSecUcd.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp3.dll
O20 - Winlogon Notify: xxyaxWMC - C:\WINDOWS\system32\xxyaxWMC.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: dvpapi - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\Program Files\PharosSystems\Core\CTskMstr.exe
O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterr.exe
O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe
O23 - Service: SmartLinkService (SLService) - Unknown owner - C:\WINDOWS\system32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe


--
End of file - 14524 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BsStor (InCD Storage Helper Driver) - c:\windows\system32\drivers\bsstor.sys <Not Verified; B.H.A Co.,Ltd.; >
R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil©>
R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R2 Machnm32 (Machnm32 Driver) - c:\windows\system32\machnm32.sys
R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows ® 2000 DDK driver>
R3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>

S2 TREKTH2K (Thumb Drive Device) - c:\windows\system32\drivers\trekth2k.sys <Not Verified; Trek 2000 Int'l Ltd; USB Storage Device>
S3 AlcrFilt (Alcor Micro Corp) - c:\windows\system32\drivers\alcrfilt.sys <Not Verified; AlcorMicro; AlcorMicro AlcrFilt>
S3 ASPI (Advanced SCSI Programming Interface Driver) - c:\windows\system32\drivers\aspi32.sys <Not Verified; Adaptec; Adaptec's ASPI Layer>
S3 BtAudio (Bluetooth Audio) - c:\windows\system32\drivers\btaudio.sys (file missing)
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 BTDriver (Bluetooth Virtual Communications Driver) - c:\windows\system32\drivers\btport.sys (file missing)
S3 BTNetFilter (Bluetooth Network Filter) - c:\windows\system32\drivers\btnetfilter.sys
S3 BTWDNDIS (Bluetooth LAN Access Server) - c:\windows\system32\drivers\btwdndis.sys (file missing)
S3 CBTNDIS5 (CBTNDIS5 NDIS Protocol Driver) - c:\windows\system32\cbtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 grmnusb - c:\windows\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS>
S3 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\ids-di~1\20040813.178\symidsco.sys (file missing)
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys (file missing)
S4 BsUDF (InCD UDF Driver) - c:\windows\system32\drivers\bsudf.sys <Not Verified; ahead software; UDF File System Driver (WindowsXP)>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 BlueSoleil Hid Service - c:\program files\ivt corporation\bluesoleil\btntservice.exe
R2 EpsonBidirectionalService - c:\program files\common files\epson\ebapi\eebsvc.exe
R2 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>
R2 Pharos Systems ComTaskMaster - "c:\progra~1\pharos~1\core\ctskmstr.exe" <Not Verified; Pharos Systems International; PHAROS>

S3 nmraapache (Pure Networks Net2Go Service) - "c:\program files\pure networks\network magic\webserver\bin\nmraapache.exe" -k runservice <Not Verified; Pure Networks, Inc.; Pure Networks Net2Go Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\32000F9D23F36
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\32000F9D23F36
Service: NIC1394

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth Device (RFCOMM Protocol TDI)
Device ID: ROOT\NET\0000
Manufacturer: Microsoft
Name: Bluetooth Device (RFCOMM Protocol TDI)
PNP Device ID: ROOT\NET\0000
Service: RFCOMM


-- Scheduled Tasks -------------------------------------------------------------

2008-04-04 15:13:23 404 --a------ C:\WINDOWS\Tasks\Norton Security Scan.job
2008-04-04 11:58:01 266 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-03-25 11:58:25 388 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
2008-02-13 19:44:45 260 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
2007-12-22 22:03:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-05-19 11:09:13 334 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser.job


-- Files created between 2008-03-13 and 2008-04-13 -----------------------------

2008-04-12 21:57:46 86592 --a------ C:\WINDOWS\system32\pjegbptq.dll
2008-04-12 21:54:45 92736 --a------ C:\WINDOWS\system32\eqbdeqxq.dll
2008-04-12 21:50:39 3648 --a------ C:\WINDOWS\system32\ikjyooik.dll
2008-04-12 21:45:36 94272 -----n--- C:\WINDOWS\system32\aowkaorl.dll
2008-04-12 20:32:21 0 d-------- C:\Program Files\Enigma Software Group
2008-04-12 13:46:41 37888 --a------ C:\WINDOWS\system32\wvUlkHwW.dll
2008-04-11 21:45:19 3648 --a------ C:\WINDOWS\system32\rbjexnij.dll
2008-04-11 21:42:12 94784 --a------ C:\WINDOWS\system32\xegcrjdc.dll
2008-04-10 21:42:14 3648 --a------ C:\WINDOWS\system32\ipnpkdbq.dll
2008-04-10 21:41:56 88128 --a------ C:\WINDOWS\system32\skstvovk.dll
2008-04-10 09:43:25 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-10 08:19:44 182284 --ahs---- C:\WINDOWS\system32\qpVEdMoq.ini2
2008-04-10 08:19:29 270848 -----n--- C:\WINDOWS\system32\qoMdEVpq.dll
2008-04-10 08:17:04 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-04-10 08:14:26 38400 --a------ C:\WINDOWS\mrofinu1188.exe
2008-04-10 08:14:11 0 d-------- C:\WINDOWS\system32\comz
2008-04-10 08:14:10 0 d-------- C:\WINDOWS\system32\cb4
2008-04-10 08:14:03 0 d-------- C:\WINDOWS\system32\bharebio18
2008-04-10 08:13:33 37888 --a------ C:\WINDOWS\system32\xxyaxWMC.dll
2008-04-10 07:57:08 0 d-------- C:\Documents and Settings\Rob\Application Data\LimeWire
2008-04-04 08:46:51 0 d-------- C:\WINDOWS\48B8222675E34E9092CCD30F79EA6380.TMP
2008-04-02 20:29:46 0 d-------- C:\Program Files\Safari
2008-04-02 20:24:55 0 d-------- C:\Program Files\iPod
2008-03-26 11:32:54 0 d-------- C:\Documents and Settings\All Users\SendTo
2008-03-19 22:22:58 280 --a------ C:\WINDOWS\system32\PDBootState
2008-03-16 21:08:39 0 d-------- C:\var
2008-03-16 21:08:38 146432 --a------ C:\WINDOWS\UNWISE.EXE


-- Find3M Report ---------------------------------------------------------------

2008-04-13 13:40:49 0 d-------- C:\Program Files\Norton Security Scan
2008-04-10 09:43:25 0 d-------- C:\Program Files\Common Files
2008-04-10 09:37:16 0 d-------- C:\Program Files\Common Files\Real
2008-04-08 20:43:31 0 d-------- C:\Program Files\QuickTax 2007
2008-04-05 23:38:09 0 d-------- C:\Documents and Settings\Rob\Application Data\Real
2008-04-04 17:31:50 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-02 20:43:01 0 d-------- C:\Documents and Settings\Rob\Application Data\Apple Computer
2008-04-02 20:25:55 0 d-------- C:\Program Files\iTunes
2008-04-02 20:16:35 0 d-------- C:\Program Files\QuickTime
2008-03-26 12:24:31 0 d-------- C:\Program Files\RamBooster 2.0
2008-03-26 12:21:30 0 d--h----- C:\Documents and Settings\Rob\Application Data\GTek
2008-03-26 12:01:17 0 d-------- C:\Program Files\Freeciv-2.1.1-gtk2
2008-03-26 12:00:24 0 d-------- C:\Program Files\Startup Optimizer
2008-03-25 21:08:39 0 d-------- C:\Program Files\NovaLogic
2008-03-25 20:02:49 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-25 20:02:16 0 d-------- C:\Program Files\EPSON
2008-03-25 19:07:41 0 d--h----- C:\Program Files\Zero G Registry
2008-03-25 12:47:54 0 d-------- C:\Documents and Settings\Rob\Application Data\EPSON
2008-03-25 12:41:42 0 d-------- C:\Program Files\Handbrake
2008-03-25 12:18:08 0 d-------- C:\Documents and Settings\Rob\Application Data\Uniblue
2008-03-25 11:57:22 0 d-------- C:\Program Files\Uniblue
2008-03-23 23:37:55 0 d-------- C:\Documents and Settings\Rob\Application Data\DNA
2008-03-19 13:42:48 0 d-------- C:\Program Files\Bible
2008-03-07 11:12:30 0 d-------- C:\Documents and Settings\Rob\Application Data\BitTorrent
2008-03-02 19:52:44 0 d-------- C:\Program Files\AviSynth 2.5
2008-03-02 19:49:02 65 --a------ C:\WINDOWS\system32\BD7020.dat
2008-03-02 13:31:07 0 d-------- C:\Program Files\Pure Networks
2008-03-02 13:16:35 0 d-------- C:\Program Files\Common Files\Pure Networks Shared
2008-02-26 21:22:16 0 d-------- C:\Program Files\Common Files\Scanner
2008-02-26 21:13:09 0 d-------- C:\Documents and Settings\Rob\Application Data\AVG7
2008-02-26 19:38:12 0 d-------- C:\Program Files\Common Files\Authentium
2008-02-26 19:37:10 0 d-------- C:\Program Files\Raxco
2008-02-26 19:36:26 0 d-------- C:\Program Files\CA
2008-02-26 19:32:26 0 d-------- C:\Program Files\Bell
2008-02-26 19:13:06 0 d-------- C:\Documents and Settings\Rob\Application Data\InstallShield
2008-02-26 19:08:56 0 d-------- C:\Documents and Settings\Rob\Application Data\Bell
2008-02-20 14:20:05 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-19 19:52:36 0 d-------- C:\Program Files\Groove Games
2008-02-19 19:51:59 0 d-------- C:\Documents and Settings\Rob\Application Data\Groove Games
2008-02-08 12:33:07 3441 --a------ C:\WINDOWS\unins000.dat
2008-02-08 12:31:25 691545 --a------ C:\WINDOWS\unins000.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3F1023FD-EABB-4CE1-B32B-EF42C3C3D42D}]
04/10/2008 08:19 AM 270848 --------- C:\WINDOWS\system32\qoMdEVpq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5ce0c32b-a20f-447d-a77b-e27f9897fa1c}]
04/12/2008 09:54 PM 92736 --a------ C:\WINDOWS\system32\eqbdeqxq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63AB48C9-01A8-495C-8194-A715DB8A37A2}]
04/10/2008 08:13 AM 37888 --a------ C:\WINDOWS\system32\xxyaxWMC.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [10/20/2001 12:46 AM]
"9382 UFD Monitor"="C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe" [09/17/2003 06:42 PM]
"9382 UFD Utility"="C:\Program Files\EasyDisk UFD Tool\USBTool.exe" [09/18/2003 11:39 AM]
"CplBCL50"="C:\Program Files\EzButton\CplBCL50.EXE" [01/29/2003 03:19 AM]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [03/11/2005 07:08 AM]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [10/14/2003 11:22 AM]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [04/14/2004 03:46 PM]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [04/14/2004 04:04 PM]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [11/11/2004 06:14 PM]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [01/07/2005 06:30 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [03/27/2007 11:33 AM]
"-FreedomNeedsReboot"="C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe" [08/27/2007 05:57 PM]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [01/08/2008 06:20 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/10/2008 09:21 AM]
"b061e609"="C:\WINDOWS\system32\pjegbptq.dll" [04/12/2008 09:57 PM]
"BMb352d595"="C:\WINDOWS\system32\aowkaorl.dll" [04/12/2008 09:45 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/04/2007 02:38 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Bell\Security Manager\IdxClnR.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Bell\Security Manager\IdxClnR.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"=0 (0x0)
"NoPropertiesMyComputer"=0 (0x0)
"NoViewContextMenu"=0 (0x0)
"NoFileAssociate"=0 (0x0)
"NoFind"=0 (0x0)
"NoRun"=0 (0x0)
"NoClose"=0 (0x0)
"StartMenuLogoff"=0 (0x0)
"NoSMHelp"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsHistory"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"HideClock"=0 (0x0)
"NoTrayItemsDisplay"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{63AB48C9-01A8-495C-8194-A715DB8A37A2}"= C:\WINDOWS\system32\xxyaxWMC.dll [04/10/2008 08:13 AM 37888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyaxWMC]
xxyaxWMC.dll 04/10/2008 08:13 AM 37888 C:\WINDOWS\system32\xxyaxWMC.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\qoMdEVpq

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless-G Notebook Adapter Utility.lnk]
backup=C:\WINDOWS\pss\Wireless-G Notebook Adapter Utility.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashEnc]
c:\FlashEnc\FlashEnc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
"SoundMan"=SOUNDMAN.EXE
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"ATIModeChange"=Ati2mdxx.exe
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be9c3ae1-4c19-11dc-8987-00042358e184}]
AutoRun\command- ie.exe
explore\Command- ie.exe
open\Command- ie.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8002 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-13 19:04:34 ------------

And from extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1300MHz
Percentage of Memory in Use: 81%
Physical Memory (total/avail): 255.48 MiB / 47.99 MiB
Pagefile Memory (total/avail): 617.38 MiB / 262.32 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.84 MiB

C: is Fixed (NTFS) - 37.26 GiB total, 13.73 GiB free.
D: is Removable (Unformatted)
F: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - TOSHIBA MK4018GAP - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:

\\.\PHYSICALDRIVE1 - Winbond Secure Digital Drive



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FW: Sympatico Security Manager Firewall v6.0.1 (Bell Sympatico (b1xxxxxx)) Disabled
AV: Sympatico Security Manager Anti-Virus v6.0.1 (Bell Sympatico (b1xxxxxx)) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Pharos\\bin\\PSNotify.exe"="C:\\Program Files\\Pharos\\bin\\PSNotify.exe:*:Enabled:Pharos Notify Client "

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\kdx\\khost.exe"="C:\\WINDOWS\\kdx\\khost.exe:*:Enabled:Secure Delivery Plug-In"
"C:\\Program Files\\Refworks\\WriteNCite.exe"="C:\\Program Files\\Refworks\\WriteNCite.exe:*:Enabled:WriteNCite"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\Eidos Interactive\\Pyro Studios\\Praetorians\\Praetorians.exe"="C:\\Program Files\\Eidos Interactive\\Pyro Studios\\Praetorians\\Praetorians.exe:*:Enabled:Praetorians"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\Pharos\\bin\\PSNotify.exe"="C:\\Program Files\\Pharos\\bin\\PSNotify.exe:*:Enabled:Pharos Notify Client "
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Kontiki\\bin\\kontiki.exe"="C:\\Program Files\\Kontiki\\bin\\kontiki.exe:*:Disabled:Kontiki Client"
"C:\\Program Files\\BitPim\\bitpim.exe"="C:\\Program Files\\BitPim\\bitpim.exe:*:Enabled:View and manipulate data on many CDMA phones from LG, Samsung, Sanyo and other manufacturers. This includes the PhoneBook, Calendar, WallPapers, RingTones (functionality varies by phone) and the Filesystem for most Qualcomm CDMA chipset based phones."
"C:\\Program Files\\Freeciv-2.1.1-gtk2\\civserver.exe"="C:\\Program Files\\Freeciv-2.1.1-gtk2\\civserver.exe:*:Enabled:civserver"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\WINDOWS\\system32\\dxdiag.exe"="C:\\WINDOWS\\system32\\dxdiag.exe:*:Disabled:Microsoft DirectX Diagnostic Tool"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\NovaLogic\\Delta Force Land Warrior\\Update.exe"="C:\\Program Files\\NovaLogic\\Delta Force Land Warrior\\Update.exe:*:Enabled:Update"
"C:\\Program Files\\NovaLogic\\Delta Force Land Warrior\\DFLW.EXE"="C:\\Program Files\\NovaLogic\\Delta Force Land Warrior\\DFLW.EXE:*:Disabled:DFLW"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Common Files\\Pure Networks Shared\\Platform\\nmsrvc.exe"="C:\\Program Files\\Common Files\\Pure Networks Shared\\Platform\\nmsrvc.exe:LocalSubNet:Enabled:Pure Networks Platform Service"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Rob\Application Data
CLASSPATH=.;"C:\WINDOWS\System32\QTJava.zip";C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Rob
LOGONSERVER=\\LAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=c:\program files\imagemagick-6.3.2-q16;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\PharosSystems\OutputManagement;C:\Program Files\PharosSystems\Core;C:\Program Files\CA\PPRT\bin;C:\var\perl\bin;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
STACKS=0,0
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Rob\LOCALS~1\Temp
TMP=C:\DOCUME~1\Rob\LOCALS~1\Temp
USERDOMAIN=LAPTOP
USERNAME=Rob
USERPROFILE=C:\Documents and Settings\Rob
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Rob (admin)
Leila (admin)
Aliyah (admin)
Zara (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88E5FCB8-5F25-11D5-B16F-0800460222F0}\setup.exe" -l0x9 UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D76298C2-E532-4A11-BCFF-76F3F19DA84D}\setup.exe" UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop 5.0 Limited Edition --> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\Photoshop 5.0 LE\DeIsL1.isu" -c"C:\Program Files\Adobe\Photoshop 5.0 LE\Uninst.dll"
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
Ahead InCD --> C:\WINDOWS\NuNInst.exe /UNINSTALL
Ahead InCD EasyWrite Reader --> C:\WINDOWS\UNMrw.exe /UNINSTALL
Ahead NeroMediaPlayer --> C:\WINDOWS\UNNMP.exe /UNINSTALL
Ahead NeroVision Express --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
Alps Touch Pad --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Apoint2K\Apoint.isu" -c"C:\Program Files\Apoint2K\ApInst.dll"
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ArcSoft PhotoImpression --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6C5D7191-140A-11D6-B5A0-0050DA208A93}\Setup.exe" -l0x9 -uninst
Aspell 0.6 Dictionary (Language: en) --> "C:\Documents and Settings\All Users\Application Data\Aspell\Dictionaries\Uninstall-AspellDict-en.exe"
Aspell Data --> "C:\Documents and Settings\All Users\Application Data\Aspell\Uninstall-AspellData.exe"
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{083F79E4-6FE9-46FB-A6C6-4F8862742947}\setup.exe"
Authentium AntiVirus SDK - 2 --> MsiExec.exe /I{1ACE3F9D-CDA4-4F39-9605-334CF37A1579}
BlueSoleil --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B9F499B8-D1F0-42FC-84BE-CC552123CCCB}\setup.exe" -l0x9
Brother MFL-Pro Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D83BD5E2-5AF4-49F6-B5C1-484A9760E73D}\Setup.exe" -l0x9 Brunin03.dllBrunin03.dll
CNET Download Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchiSetup -ether"C:\Program Files\InstallShield Installation Information\{0B4686AE-A1A7-4477-B8EA-65033218474E}" -l0x9 /ku /kp /kc
CorelDRAW ESSENTIALS --> MsiExec.exe /I{CFE78643-3CDB-46EF-9677-795415937ABB}
Delta Force Land Warrior --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\NovaLogic\Delta Force Land Warrior\Uninst.isu"
DNA --> "C:\Program Files\DNA\btdna.exe" /UNINSTALL
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
Easy Button --> C:\WINDOWS\UnInst32.exe CplBCL50.UNI
EasyDisk UFD Tool --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{3E9D5FEC-0AA9-4280-8840-E42F8DCFFEF0} /l1033
EPSON Copy Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B69CC1A5-0404-11D6-ABCB-005004C21D30}\setup.exe" -l0x9 ADDREMOVEDLG
EPSON PhotoQuicker3.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B2EFE303-A594-11D5-95EB-005004BC1C65}\setup.exe" uninst
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /r
EPSON TWAIN 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A3EABC0-CA06-11D4-BF77-00104B130C19}\Setup.exe" -l0x9 UNINSTALL
Free Window Registry Repair --> C:\PROGRA~1\FREEWI~1\UNWISE.EXE C:\PROGRA~1\FREEWI~1\INSTALL.LOG
Garmin i2/i3 City Navigator North America NT v8 --> MsiExec.exe /X{D5CC418A-3FC9-4892-B79E-DBC565D9402A}
Garmin MapSource --> MsiExec.exe /X{F3B76517-C1BC-40A7-814C-4C0A87E7D9DF}
GCDCreator v1.1.0 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\GCDCreator\ST6UNST.LOG"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
GPL Ghostscript 8.54 --> C:\Program Files\gs\uninstgs.exe "C:\Program Files\gs\gs8.54\uninstal.txt"
GPL Ghostscript Fonts --> C:\Program Files\gs\uninstgs.exe "C:\Program Files\gs\fonts\uninstal.txt"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 1.99.1 --> C:\HJT\HijackThis.exe /uninstall
ImageMagick 6.3.2-8 Q16 (03/01/07) --> "C:\Program Files\ImageMagick-6.3.2-Q16\unins000.exe"
Ink Monitor --> C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe -U
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Java 2 Runtime Environment, SE v1.4.2_08 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142080}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
Network Magic --> C:\Documents and Settings\All Users\Application Data\Pure Networks\Setup\nmsetup.exe /uninstall
Norton Security Scan --> MsiExec.exe /I{DA15D535-5E1D-4076-B520-8571346D6238}
Nvu 1.0 --> "C:\Program Files\Nvu\unins000.exe"
Odyssey Client --> MsiExec.exe /X{99D42EC7-652B-4819-B3E6-6450C815E03F}
Online Bible 9.32 --> C:\Program Files\Bible\OlbDel.Exe "Online Bible" "Online Bible" "C:\Documents and Settings\Rob\My Documents\Bible\" "C:\Documents and Settings\All Users\Documents\Online Bible\"
OpenMG Limited Patch 4.1-05-15-25-01 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix4.1-05-15-25-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 4.1.00 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{2F151B50-B434-4838-B51D-70442EBA093E} UNINSTALL
PaperPort --> MsiExec.exe /I{A17EABB6-D0C6-44E5-820C-72DC7F495064}
PDF reDirect (remove only) --> C:\Program Files\PDF reDirect\Uninstall.exe
PerfectDisk --> MsiExec.exe /I{212F5777-1190-4DEF-8E4D-6B2F313B45E7}
Pharos --> C:\PROGRA~1\Pharos\bin\Local.EXE
PPSDKRedistributables --> MsiExec.exe /I{C869F4FF-E5FF-4FBB-9A31-33C23605E170}
Praetorians --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AAC8AF92-DAEC-45D2-B77D-36699E3751A9}\Setup.exe"
QuickTax 2003 Standard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28E24092-3BAE-4D38-A57B-F830862E3A31}\setup.exe" -l0x9 -uninst
QuickTax 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{53337CA9-E9A4-4C59-9D1C-D980EF9BF0C2}\isetup.ex_" -l0x9 -uninst
QuickTax 2005 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8D0BC3E-67DF-48A3-ACC9-EEAA8DBFBF29}\isetup.ex_" -l0x9 -uninst
QuickTax 2006 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FAFDA89B-1031-4BDB-8619-DE20CBDEDF32}\isetup.ex_" -l0x9 -uninst
QuickTax 2007 --> MsiExec.exe /X{22EC35BD-F8F2-45EB-8DCB-1C7FB65D0A71}
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
QuickTime for Windows (32-bit) --> C:\WINDOWS\QTW32DEL.EXE
Radialpoint Security Services --> MsiExec.exe /X{5DFDEAAA-E050-482E-A5B6-138CAE53F7BF}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Realtek Fast Ethernet Adapter Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}\Setup.exe" -l0x9 REMOVE
RPS Ad Blocker --> MsiExec.exe /I{08B9D8A5-0F7F-4746-AE09-563DFE6D160A}
RPS AntiFraud --> MsiExec.exe /I{494E1223-4444-4C25-B1C6-0D73F16947DE}
RPS AntiSpyware --> MsiExec.exe /I{2141E76D-84AC-48E1-8592-583A7AEF4890}
RPS AntiVirus --> MsiExec.exe /I{9F82A8D5-E726-46A5-A240-F7F72A0E2704}
RPS App Detector --> MsiExec.exe /I{60D2CAA2-3442-4BFA-A7A5-44C4B49E39D9}
RPS AsRealtime --> MsiExec.exe /I{27B6A332-950C-4C4B-AC00-47882F09565B}
RPS Backup --> MsiExec.exe /I{63ADC0A3-BE18-4351-958D-396D44FA7604}
RPS Burn --> MsiExec.exe /I{88C2DEBD-678E-473D-A10B-4101EBDFE370}
RPS Diagnostic Utility --> MsiExec.exe /I{A6433CA5-384B-4E15-8270-B511F94B86AE}
RPS Firewall --> MsiExec.exe /I{8B02DC37-9997-4723-90E2-DE64CBFEF2BD}
RPS ParentalControl --> MsiExec.exe /I{B0B9010D-24C6-413E-8710-4C4BD2D41BF4}
RPS Performance Tool --> MsiExec.exe /I{62114582-0B19-4222-A056-D4166374C43E}
RPS PopupBlocker --> MsiExec.exe /I{CCEA4F64-091F-4E97-9043-898A08DA1AA6}
RPS Privacy Manager --> MsiExec.exe /I{C34CC6A7-B46A-4C5A-9CCF-229307BE2F7A}
RPS RpsCore --> MsiExec.exe /I{2F5B9C05-67AB-4737-858C-86B471DA5F1D}
RPS Security Cleanup --> MsiExec.exe /I{A92192EB-DF5A-4034-925A-1546EF97538B}
RPS Zip --> MsiExec.exe /I{47001112-05C9-4CE7-B6C6-AA6CAD9CFDFD}
Safari --> MsiExec.exe /I{F0E8F94D-6E68-4B35-92DF-3AA6DC6A6768}
ScanToWeb --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\setup.exe" ADDREMOVEDLG
SD Viewer for DSC --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5A8D3524-79DB-11D5-99D1-00010256D40E}\setup.exe"
Secure Delivery --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\kdx\kdx.inf,DefaultUninstall,5
Secure Disk --> c:\FlashEnc\Flashenc.exe /uninstall
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Smart Link 56K Modem --> C:\WINDOWS\Modio\SLAMR2KO\Setup.exe /Remove
SMSC IrCC Driver V5.1.2462.0 (WinXP) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC86822D-3A20-11D5-801B-00E029348F40}\Setup.exe"
SonicStage 3.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0EB195B-5876-48E6-879D-33D4B2102610}\setup.exe" -l0x9 UNINSTALL -removeonly
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Sympatico Security Advisor 1.5.11 --> "C:\Program Files\Bell\Sympatico Security Advisor\unins000.exe"
Sympatico Security Manager --> C:\Program Files\InstallShield Installation Information\{98C99357-67C9-407B-8361-626F6A0667EB}\setup.exe -runfromtemp -l0x0009 -removeonly
Teknia Language Tools (Greek) --> C:\PROGRA~1\Teknia\UNWISE.EXE C:\PROGRA~1\Teknia\INSTALL.LOG
Tiger Woods PGA TOUR 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7E91306C-899F-45F3-B5E9-4B480A27A63D}\Setup.exe" -l0x9 uninstallme
Videora iPod touch Converter 3.07 --> C:\Program Files\Red Kawa\Video Converter 3\uninstaller.exe
WinCleaner Memory Optimizer Version 5.2 --> "C:\Program Files\WinCleaner Memory Optimizer\unins000.exe"
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
WordPerfect Office 2002 OEM --> C:\WINDOWS\Corel\uninst32.exe
Write-N-Cite --> C:\PROGRA~1\Refworks\UNWISE.EXE C:\PROGRA~1\Refworks\INSTALL.LOG
Yahoo! Internet Mail --> C:\WINDOWS\System32\regsvr32 /u /s
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type18928 / Error
Event Submitted/Written: 04/13/2008 06:53:15 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iTunes.exe, version 7.6.2.9, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type18927 / Error
Event Submitted/Written: 04/13/2008 06:53:14 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iTunes.exe, version 7.6.2.9, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type18920 / Error
Event Submitted/Written: 04/13/2008 01:41:01 PM
Event ID/Source: 1013 / MsiInstaller
Event Description:
Product: Norton Security Scan -- Installation terminated

Event Record #/Type18916 / Error
Event Submitted/Written: 04/13/2008 01:38:45 PM
Event ID/Source: 1013 / MsiInstaller
Event Description:
Product: Norton Security Scan -- Installation terminated

Event Record #/Type18908 / Warning
Event Submitted/Written: 04/13/2008 01:32:53 PM
Event ID/Source: 1015 / EvntAgnt
Event Description:
TraceLevel parameter not located in registry;
Default trace level used is 32.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type42090 / Error
Event Submitted/Written: 04/13/2008 07:02:25 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The SmartLinkService service has reported an invalid current state 0.

Event Record #/Type42089 / Error
Event Submitted/Written: 04/13/2008 06:53:11 PM
Event ID/Source: 2000 / Srv
Event Description:
The server's call to a system service failed unexpectedly.

Event Record #/Type42088 / Error
Event Submitted/Written: 04/13/2008 06:53:11 PM
Event ID/Source: 2000 / Srv
Event Description:
The server's call to a system service failed unexpectedly.

Event Record #/Type42087 / Error
Event Submitted/Written: 04/13/2008 06:50:39 PM / 04/13/2008 06:50:40 PM
Event ID/Source: 2000 / Srv
Event Description:
The server's call to a system service failed unexpectedly.

Event Record #/Type42086 / Error
Event Submitted/Written: 04/13/2008 06:50:39 PM / 04/13/2008 06:50:40 PM
Event ID/Source: 2000 / Srv
Event Description:
The server's call to a system service failed unexpectedly.



-- End of Deckard's System Scanner: finished at 2008-04-13 19:04:34 ------------

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:17 PM

Posted 15 April 2008 - 02:11 PM

Hello Rob and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Rob the Newbie

Rob the Newbie
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 15 April 2008 - 10:30 PM

Thank you so much for your help. There were a few hiccups along the way; for example, I note that ComboFix says I did not install the Recovery Console, though I thought I followed the directions properly. Also, when the computer restarted, I got some RunDll errors. This is my second reply, as I seemed to have an older copy of HJT, so I reposted, in case there are two reponses to your post. Again, thank-you!

Anyway, here are the logs in the following order: Malwarebytes, ComboFix and HJT:

Malwarebytes' Anti-Malware 1.11
Database version: 635

Scan type: Quick Scan
Objects scanned: 38411
Time elapsed: 19 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 15
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\qoMdEVpq.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\xxyaxWMC.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6c0136ad-4870-4c9c-b4bc-fd646308038b} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6c0136ad-4870-4c9c-b4bc-fd646308038b} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{63ab48c9-01a8-495c-8194-a715db8a37a2} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63ab48c9-01a8-495c-8194-a715db8a37a2} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyaxwmc (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{63ab48c9-01a8-495c-8194-a715db8a37a2} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMb352d595 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Host Process (Worm.IRCBot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomdevpq -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomdevpq -> Delete on reboot.

Folders Infected:
C:\WINDOWS\system32\bharebio18 (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Rob\Application Data\Sammsoft (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\qoMdEVpq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qpVEdMoq.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qpVEdMoq.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vbfmyueq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qeuymfbv.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyaxWMC.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ikjyooik.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ipnpkdbq.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iuwnevnb.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\onesvsgg.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rbjexnij.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu1188.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu1188.exe.tmp (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bharebio18\bharebio182328.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\entvdiwj.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\x.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\Setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rob\Start Menu\Programs\Startup\DW_Start.lnk (Trojan.Agent) -> Quarantined and deleted successfully.

ComboFix 08-04-15.1 - Rob 2008-04-15 22:16:08.1 - NTFSx86
Running from: C:\Documents and Settings\All Users\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aowkaorl.dll
C:\WINDOWS\system32\entvdiwj.dll
C:\WINDOWS\system32\eqbdeqxq.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\phnljmhk.dll
C:\WINDOWS\system32\qoMdEVpq.dll
C:\WINDOWS\system32\qpVEdMoq.ini
C:\WINDOWS\system32\qpVEdMoq.ini2
C:\WINDOWS\system32\skstvovk.dll
C:\WINDOWS\system32\tnsvfcvh.dll
C:\WINDOWS\system32\usejwlnb.dll
C:\WINDOWS\system32\wvUlkHwW.dll
C:\WINDOWS\system32\xegcrjdc.dll
C:\WINDOWS\system32\xxyaxWMC.dll
C:\WINDOWS\Fonts\-

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_NWSAPAGENT
-------\Service_6to4
-------\Service_NwSapAgent


((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-15 21:22 . 2008-04-15 21:22 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Malwarebytes
2008-04-15 21:20 . 2008-04-15 21:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-15 21:20 . 2008-04-15 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-15 20:49 . 2008-04-15 20:49 <DIR> d-------- C:\Documents and Settings\Administrator\Bluetooth Software
2008-04-15 20:49 . 2008-04-15 20:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2008-04-14 23:03 . 2008-04-15 20:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-14 01:07 . 2008-04-15 20:49 <DIR> d-------- C:\Program Files\a-squared Free
2008-04-13 21:54 . 2008-04-14 22:41 774 ---hs---- C:\WINDOWS\system32\qvpdabuw.ini
2008-04-13 20:19 . 2008-04-13 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-13 20:17 . 2008-04-13 20:17 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-13 18:56 . 2008-04-13 18:56 <DIR> d-------- C:\Deckard
2008-04-12 21:57 . 2008-04-13 20:15 654 ---hs---- C:\WINDOWS\system32\qtpbgejp.ini
2008-04-12 20:32 . 2008-04-12 20:32 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-12 13:42 . 2008-04-15 22:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-12 13:42 . 2008-04-12 13:42 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-11 21:50 . 2008-04-12 21:50 474 ---hs---- C:\WINDOWS\system32\kownqxoq.ini
2008-04-10 21:46 . 2008-04-11 21:46 354 ---hs---- C:\WINDOWS\system32\htmrrcrt.ini
2008-04-10 21:42 . 2008-04-14 22:28 101,091 --a------ C:\WINDOWS\BMb352d595.xml
2008-04-10 09:43 . 2008-04-10 09:43 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-10 08:17 . 2008-04-10 08:17 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-04-10 08:14 . 2008-04-15 20:49 <DIR> d-------- C:\WINDOWS\system32\comz
2008-04-10 08:14 . 2008-04-12 17:21 <DIR> d-------- C:\WINDOWS\system32\cb4
2008-04-10 08:14 . 2008-04-15 21:46 <DIR> d-------- C:\WINDOWS\system32\bharebio18
2008-04-10 08:14 . 2008-04-10 08:14 <DIR> d-------- C:\temp\wdlw14
2008-04-10 07:57 . 2008-04-12 13:47 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\LimeWire
2008-04-04 08:46 . 2008-04-04 08:46 <DIR> d-------- C:\WINDOWS\48B8222675E34E9092CCD30F79EA6380.TMP
2008-04-02 20:29 . 2008-04-02 20:30 <DIR> d-------- C:\Program Files\Safari
2008-04-02 20:24 . 2008-04-02 20:24 <DIR> d-------- C:\Program Files\iPod
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-19 22:22 . 2008-03-26 18:45 280 --a------ C:\WINDOWS\system32\PDBootState
2008-03-16 21:08 . 2008-03-16 21:10 <DIR> d-------- C:\var
2008-03-16 21:08 . 2004-02-18 16:47 146,432 --a------ C:\WINDOWS\UNWISE.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 00:48 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-16 00:48 --------- d-----w C:\Program Files\Norton Security Scan
2008-04-16 00:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-10 13:37 --------- d-----w C:\Program Files\Common Files\Real
2008-04-10 13:24 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-04-10 13:24 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-04-09 00:43 --------- d-----w C:\Program Files\QuickTax 2007
2008-04-03 00:43 --------- d-----w C:\Documents and Settings\Rob\Application Data\Apple Computer
2008-04-03 00:25 --------- d-----w C:\Program Files\iTunes
2008-04-03 00:16 --------- d-----w C:\Program Files\QuickTime
2008-03-26 16:24 --------- d-----w C:\Program Files\RamBooster 2.0
2008-03-26 16:21 --------- d--h--w C:\Documents and Settings\Rob\Application Data\GTek
2008-03-26 16:01 --------- d-----w C:\Program Files\Freeciv-2.1.1-gtk2
2008-03-26 16:00 --------- d-----w C:\Program Files\Startup Optimizer
2008-03-26 01:08 --------- d-----w C:\Program Files\NovaLogic
2008-03-26 00:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-26 00:02 --------- d-----w C:\Program Files\EPSON
2008-03-25 23:07 --------- d--h--w C:\Program Files\Zero G Registry
2008-03-25 16:47 --------- d-----w C:\Documents and Settings\Rob\Application Data\EPSON
2008-03-25 16:41 --------- d-----w C:\Program Files\Handbrake
2008-03-25 16:18 --------- d-----w C:\Documents and Settings\Rob\Application Data\Uniblue
2008-03-25 15:57 --------- d-----w C:\Program Files\Uniblue
2008-03-24 03:37 --------- d-----w C:\Documents and Settings\Rob\Application Data\DNA
2008-03-19 17:42 --------- d-----w C:\Program Files\Bible
2008-03-16 02:26 53,192 ----a-w C:\WINDOWS\system32\drivers\rp_skt32.sys
2008-03-07 15:12 --------- d-----w C:\Documents and Settings\Rob\Application Data\BitTorrent
2008-03-02 23:52 --------- d-----w C:\Program Files\AviSynth 2.5
2008-03-02 17:31 --------- d-----w C:\Program Files\Pure Networks
2008-03-02 17:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-03-02 17:16 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2008-02-27 01:22 --------- d-----w C:\Program Files\Common Files\Scanner
2008-02-27 01:13 --------- d-----w C:\Documents and Settings\Zara\Application Data\AVG7
2008-02-27 01:13 --------- d-----w C:\Documents and Settings\Rob\Application Data\AVG7
2008-02-27 01:13 --------- d-----w C:\Documents and Settings\Leila\Application Data\AVG7
2008-02-27 01:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-26 23:38 --------- d-----w C:\Program Files\Common Files\Authentium
2008-02-26 23:37 --------- d-----w C:\Program Files\Raxco
2008-02-26 23:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2008-02-26 23:36 --------- d-----w C:\Program Files\CA
2008-02-26 23:32 --------- d-----w C:\Program Files\Bell
2008-02-26 23:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bell
2008-02-26 23:13 --------- d-----w C:\Documents and Settings\Rob\Application Data\InstallShield
2008-02-26 23:08 --------- d-----w C:\Documents and Settings\Rob\Application Data\Bell
2008-02-20 18:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-19 23:52 --------- d-----w C:\Program Files\Groove Games
2008-02-19 23:51 --------- d-----w C:\Documents and Settings\Rob\Application Data\Groove Games
2008-02-08 16:31 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-01-29 16:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2007-10-22 00:17 220,600 ----a-w C:\Documents and Settings\Rob\Application Data\GDIPFONTCACHEV1.DAT
2006-03-30 05:11 64,512 ---ha-w C:\Documents and Settings\Rob\Application Data\rbap450.dll
2006-03-30 05:11 1,360,384 ---ha-w C:\Documents and Settings\Rob\Application Data\V4RB.dll
1996-11-29 03:35 185,643 ----a-w C:\Documents and Settings\Rob\LATIN.EXE
1994-02-23 14:58 55,264 ----a-w C:\Documents and Settings\Rob\QPRO200.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25ab7ff4-e22a-470b-8c67-821234cb5e1b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63AB48C9-01A8-495C-8194-A715DB8A37A2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C0136AD-4870-4C9C-B4BC-FD646308038B}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-04 14:38 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2001-10-20 00:46 118784]
"9382 UFD Monitor"="C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe" [2003-09-17 18:42 45056]
"9382 UFD Utility"="C:\Program Files\EasyDisk UFD Tool\USBTool.exe" [2003-09-18 11:39 421888]
"CplBCL50"="C:\Program Files\EzButton\CplBCL50.EXE" [2003-01-29 03:19 163840]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-03-11 07:08 81920]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 15:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04 40960]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 18:14 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 18:30 864256]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2007-03-27 11:33 2061816]
"-FreedomNeedsReboot"="C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe" [2007-08-27 17:57 13552]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-01-08 18:20 451896]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-10 09:21 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 03:56 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless-G Notebook Adapter Utility.lnk]
backup=C:\WINDOWS\pss\Wireless-G Notebook Adapter Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2002-10-13 00:00 294912 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashEnc]
--a------ 2004-08-17 19:10 364032 c:\FlashEnc\FlashEnc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
--a------ 2003-09-15 21:00 270336 C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
--------- 2002-08-05 04:37 258116 C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
-ra------ 2002-10-08 06:03 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
"SoundMan"=SOUNDMAN.EXE
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"ATIModeChange"=Ati2mdxx.exe
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\kdx\\khost.exe"=
"C:\\Program Files\\Refworks\\WriteNCite.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Eidos Interactive\\Pyro Studios\\Praetorians\\Praetorians.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Kontiki\\bin\\kontiki.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\NovaLogic\\Delta Force Land Warrior\\Update.exe"=
"C:\\Program Files\\NovaLogic\\Delta Force Land Warrior\\DFLW.EXE"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"67:UDP"= 67:UDP:DHCP Discovery Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2002-06-05 19:07]
R2 Machnm32;Machnm32 Driver;C:\WINDOWS\system32\Machnm32.sys [2003-08-13 01:27]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2003-05-14 16:01]
R3 WBSD;Winbond Secure Digital Storage Device Driver;C:\WINDOWS\system32\Drivers\WBSD.SYS [2002-11-08 00:28]
S2 TREKTH2K;Thumb Drive Device;C:\WINDOWS\system32\Drivers\TREKTH2K.sys [2000-09-18 23:13]
S3 AlcrFilt;Alcor Micro Corp;C:\WINDOWS\System32\Drivers\AlcrFilt.sys [2003-02-24 11:15]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 09:05]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 13:50]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 22:28]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 03:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 03:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 03:56]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 03:56]
S3 Radialpoint Security Services;Sympatico Security Manager;C:\WINDOWS\system32\dllhost.exe [2004-08-04 03:56]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 02:01]
S4 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-01-31 06:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be9c3ae1-4c19-11dc-8987-00042358e184}]
\Shell\AutoRun\command - ie.exe
\Shell\explore\Command - ie.exe
\Shell\open\Command - ie.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-23 02:03:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-04 19:13:23 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-04-04 15:58:01 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-03-25 15:58:25 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-02-13 23:44:45 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-05-19 15:09:13 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 22:36:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bell\Security Manager\Fws.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-15 22:57:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-16 02:57:27
ComboFix2.txt 2007-01-03 16:53:41

Pre-Run: 14,414,266,368 bytes free
Post-Run: 15,243,411,456 bytes free
.
2008-03-16 07:16:13 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:25 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Security Manager\Fws.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe
C:\Program Files\EasyDisk UFD Tool\USBTool.exe
C:\Program Files\EzButton\CplBCL50.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\All Users\Desktop\HiJackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Security Manager\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [9382 UFD Monitor] C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe
O4 - HKLM\..\Run: [9382 UFD Utility] C:\Program Files\EasyDisk UFD Tool\USBTool.exe
O4 - HKLM\..\Run: [CplBCL50] C:\Program Files\EzButton\CplBCL50.EXE
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mdg.ca
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://F:\content\include\XPPatchInstaller.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137773602446
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://F:\Content\include\msSecUcd.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 12296 bytes

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:17 PM

Posted 16 April 2008 - 05:09 AM

Hello Rob,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
C:\WINDOWS\system32\qvpdabuw.ini
C:\WINDOWS\system32\qtpbgejp.ini
C:\WINDOWS\system32\kownqxoq.ini
C:\WINDOWS\system32\htmrrcrt.ini
C:\WINDOWS\BMb352d595.xml
C:\WINDOWS\TEMP\mc21.tmp
Folder::
C:\WINDOWS\system32\comz
C:\WINDOWS\system32\cb4
C:\WINDOWS\system32\bharebio18
C:\temp\wdlw14
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25ab7ff4-e22a-470b-8c67-821234cb5e1b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63AB48C9-01A8-495C-8194-A715DB8A37A2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C0136AD-4870-4C9C-B4BC-FD646308038B}]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Rob the Newbie

Rob the Newbie
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 16 April 2008 - 08:44 AM

I drag the script over and ComboFix has a bar that moves as if it is thinking about something, but it does not actually run. This is actually what happened when I tried to install the Recovery Console. Any ideas?

Otherwise, there seems to be improvement; I wil try various things and let you know soon.

Thanks!

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:17 PM

Posted 16 April 2008 - 10:37 AM

Hello Rob,

If you don't get any results, then execute the procedure in safe mode :

Boot your computer in Safe Mode :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the
    Windows window appears, tap the F8 key continually;
  • Instead of loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
Now drop the CFScript.txt file onto ComboFix and see if it can perform a complete run.

Please post the new ComboFix log in your next reply. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 Rob the Newbie

Rob the Newbie
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 16 April 2008 - 11:37 AM

I will do so...but meanwhile, I ran a Registry cleaner and ran a fresh HJT file, which is below. I will post another one if what you say works.

Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:26 PM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Security Manager\Fws.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe
C:\Program Files\EasyDisk UFD Tool\USBTool.exe
C:\Program Files\EzButton\CplBCL50.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Bell\Security Manager\RPS.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Documents and Settings\All Users\Desktop\HiJackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Security Manager\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [9382 UFD Monitor] C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe
O4 - HKLM\..\Run: [9382 UFD Utility] C:\Program Files\EasyDisk UFD Tool\USBTool.exe
O4 - HKLM\..\Run: [CplBCL50] C:\Program Files\EzButton\CplBCL50.EXE
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sympatico Security Manager] C:\Program Files\Bell\Security Manager\RPS.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Security Manager\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mdg.ca
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://F:\content\include\XPPatchInstaller.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137773602446
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://F:\Content\include\msSecUcd.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 12173 bytes

#8 Rob the Newbie

Rob the Newbie
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 16 April 2008 - 12:31 PM

I went in safe mode and dragging it in still did not work. I ran ComboFix anyway and got the following, I should say, however, that I can access what I need on the Internet and there are no more popup windows for gambling. :-)

However, I did get a Windows memory error (not enough) at one point.


ComboFix 08-04-15.1 - Rob 2008-04-16 12:45:59.2 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\All Users\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-15 21:22 . 2008-04-15 21:22 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Malwarebytes
2008-04-15 21:20 . 2008-04-15 21:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-15 21:20 . 2008-04-15 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-15 20:49 . 2008-04-15 20:49 <DIR> d-------- C:\Documents and Settings\Administrator\Bluetooth Software
2008-04-15 20:49 . 2008-04-15 20:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2008-04-14 23:03 . 2008-04-15 20:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-14 01:07 . 2008-04-16 08:53 <DIR> d-------- C:\Program Files\a-squared Free
2008-04-13 21:54 . 2008-04-14 22:41 774 ---hs---- C:\WINDOWS\system32\qvpdabuw.ini
2008-04-13 20:19 . 2008-04-13 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-13 20:17 . 2008-04-13 20:17 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-13 18:56 . 2008-04-13 18:56 <DIR> d-------- C:\Deckard
2008-04-12 21:57 . 2008-04-13 20:15 654 ---hs---- C:\WINDOWS\system32\qtpbgejp.ini
2008-04-12 20:32 . 2008-04-12 20:32 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-12 13:42 . 2008-04-16 08:59 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-12 13:42 . 2008-04-12 13:42 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-11 21:50 . 2008-04-12 21:50 474 ---hs---- C:\WINDOWS\system32\kownqxoq.ini
2008-04-10 21:46 . 2008-04-11 21:46 354 ---hs---- C:\WINDOWS\system32\htmrrcrt.ini
2008-04-10 21:42 . 2008-04-14 22:28 101,091 --a------ C:\WINDOWS\BMb352d595.xml
2008-04-10 09:43 . 2008-04-10 09:43 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-10 08:17 . 2008-04-10 08:17 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-04-10 08:14 . 2008-04-15 20:49 <DIR> d-------- C:\WINDOWS\system32\comz
2008-04-10 08:14 . 2008-04-12 17:21 <DIR> d-------- C:\WINDOWS\system32\cb4
2008-04-10 08:14 . 2008-04-15 21:46 <DIR> d-------- C:\WINDOWS\system32\bharebio18
2008-04-10 08:14 . 2008-04-10 08:14 <DIR> d-------- C:\temp\wdlw14
2008-04-10 07:57 . 2008-04-12 13:47 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\LimeWire
2008-04-04 08:46 . 2008-04-04 08:46 <DIR> d-------- C:\WINDOWS\48B8222675E34E9092CCD30F79EA6380.TMP
2008-04-02 20:29 . 2008-04-02 20:30 <DIR> d-------- C:\Program Files\Safari
2008-04-02 20:24 . 2008-04-02 20:24 <DIR> d-------- C:\Program Files\iPod
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-19 22:22 . 2008-03-26 18:45 280 --a------ C:\WINDOWS\system32\PDBootState
2008-03-16 21:08 . 2008-03-16 21:10 <DIR> d-------- C:\var
2008-03-16 21:08 . 2004-02-18 16:47 146,432 --a------ C:\WINDOWS\UNWISE.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 00:48 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-16 00:48 --------- d-----w C:\Program Files\Norton Security Scan
2008-04-16 00:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-10 13:37 --------- d-----w C:\Program Files\Common Files\Real
2008-04-10 13:24 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-04-10 13:24 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-04-09 00:43 --------- d-----w C:\Program Files\QuickTax 2007
2008-04-03 00:43 --------- d-----w C:\Documents and Settings\Rob\Application Data\Apple Computer
2008-04-03 00:25 --------- d-----w C:\Program Files\iTunes
2008-04-03 00:16 --------- d-----w C:\Program Files\QuickTime
2008-03-26 16:24 --------- d-----w C:\Program Files\RamBooster 2.0
2008-03-26 16:21 --------- d--h--w C:\Documents and Settings\Rob\Application Data\GTek
2008-03-26 16:01 --------- d-----w C:\Program Files\Freeciv-2.1.1-gtk2
2008-03-26 16:00 --------- d-----w C:\Program Files\Startup Optimizer
2008-03-26 01:08 --------- d-----w C:\Program Files\NovaLogic
2008-03-26 00:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-26 00:02 --------- d-----w C:\Program Files\EPSON
2008-03-25 23:07 --------- d--h--w C:\Program Files\Zero G Registry
2008-03-25 16:47 --------- d-----w C:\Documents and Settings\Rob\Application Data\EPSON
2008-03-25 16:41 --------- d-----w C:\Program Files\Handbrake
2008-03-25 16:18 --------- d-----w C:\Documents and Settings\Rob\Application Data\Uniblue
2008-03-25 15:57 --------- d-----w C:\Program Files\Uniblue
2008-03-24 03:37 --------- d-----w C:\Documents and Settings\Rob\Application Data\DNA
2008-03-19 17:42 --------- d-----w C:\Program Files\Bible
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-16 02:26 53,192 ----a-w C:\WINDOWS\system32\drivers\rp_skt32.sys
2008-03-07 15:12 --------- d-----w C:\Documents and Settings\Rob\Application Data\BitTorrent
2008-03-02 23:52 --------- d-----w C:\Program Files\AviSynth 2.5
2008-03-02 17:31 --------- d-----w C:\Program Files\Pure Networks
2008-03-02 17:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-03-02 17:16 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-27 01:22 --------- d-----w C:\Program Files\Common Files\Scanner
2008-02-27 01:13 --------- d-----w C:\Documents and Settings\Zara\Application Data\AVG7
2008-02-27 01:13 --------- d-----w C:\Documents and Settings\Rob\Application Data\AVG7
2008-02-27 01:13 --------- d-----w C:\Documents and Settings\Leila\Application Data\AVG7
2008-02-27 01:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-26 23:38 --------- d-----w C:\Program Files\Common Files\Authentium
2008-02-26 23:37 --------- d-----w C:\Program Files\Raxco
2008-02-26 23:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2008-02-26 23:36 --------- d-----w C:\Program Files\CA
2008-02-26 23:32 --------- d-----w C:\Program Files\Bell
2008-02-26 23:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bell
2008-02-26 23:13 --------- d-----w C:\Documents and Settings\Rob\Application Data\InstallShield
2008-02-26 23:08 --------- d-----w C:\Documents and Settings\Rob\Application Data\Bell
2008-02-20 18:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-19 23:52 --------- d-----w C:\Program Files\Groove Games
2008-02-19 23:51 --------- d-----w C:\Documents and Settings\Rob\Application Data\Groove Games
2008-02-08 16:31 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-01-29 16:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2007-10-22 00:17 220,600 ----a-w C:\Documents and Settings\Rob\Application Data\GDIPFONTCACHEV1.DAT
2006-03-30 05:11 64,512 ---ha-w C:\Documents and Settings\Rob\Application Data\rbap450.dll
2006-03-30 05:11 1,360,384 ---ha-w C:\Documents and Settings\Rob\Application Data\V4RB.dll
1996-11-29 03:35 185,643 ----a-w C:\Documents and Settings\Rob\LATIN.EXE
1994-02-23 14:58 55,264 ----a-w C:\Documents and Settings\Rob\QPRO200.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-04 14:38 68856]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Bell\Security Manager\IdxClnR.exe" [2007-08-27 17:56 61168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2001-10-20 00:46 118784]
"9382 UFD Monitor"="C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe" [2003-09-17 18:42 45056]
"9382 UFD Utility"="C:\Program Files\EasyDisk UFD Tool\USBTool.exe" [2003-09-18 11:39 421888]
"CplBCL50"="C:\Program Files\EzButton\CplBCL50.EXE" [2003-01-29 03:19 163840]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-03-11 07:08 81920]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 15:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04 40960]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 18:14 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 18:30 864256]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2007-03-27 11:33 2061816]
"-FreedomNeedsReboot"="C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe" [2007-08-27 17:57 13552]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-01-08 18:20 451896]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-10 09:21 185896]
"Sympatico Security Manager"="C:\Program Files\Bell\Security Manager\RPS.exe" [2007-08-27 17:57 310000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 03:56 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless-G Notebook Adapter Utility.lnk]
backup=C:\WINDOWS\pss\Wireless-G Notebook Adapter Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2002-10-13 00:00 294912 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashEnc]
--a------ 2004-08-17 19:10 364032 c:\FlashEnc\FlashEnc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
--a------ 2003-09-15 21:00 270336 C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
--------- 2002-08-05 04:37 258116 C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
-ra------ 2002-10-08 06:03 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
"SoundMan"=SOUNDMAN.EXE
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"ATIModeChange"=Ati2mdxx.exe
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\kdx\\khost.exe"=
"C:\\Program Files\\Refworks\\WriteNCite.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Eidos Interactive\\Pyro Studios\\Praetorians\\Praetorians.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Kontiki\\bin\\kontiki.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\NovaLogic\\Delta Force Land Warrior\\Update.exe"=
"C:\\Program Files\\NovaLogic\\Delta Force Land Warrior\\DFLW.EXE"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"67:UDP"= 67:UDP:DHCP Discovery Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2002-06-05 19:07]
R3 WBSD;Winbond Secure Digital Storage Device Driver;C:\WINDOWS\system32\Drivers\WBSD.SYS [2002-11-08 00:28]
S2 Machnm32;Machnm32 Driver;C:\WINDOWS\system32\Machnm32.sys [2003-08-13 01:27]
S2 TREKTH2K;Thumb Drive Device;C:\WINDOWS\system32\Drivers\TREKTH2K.sys [2000-09-18 23:13]
S3 AlcrFilt;Alcor Micro Corp;C:\WINDOWS\System32\Drivers\AlcrFilt.sys [2003-02-24 11:15]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 09:05]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 13:50]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 22:28]
S3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2003-05-14 16:01]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 03:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 03:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 03:56]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 03:56]
S3 Radialpoint Security Services;Sympatico Security Manager;C:\WINDOWS\system32\dllhost.exe [2004-08-04 03:56]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 02:01]
S4 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-01-31 06:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be9c3ae1-4c19-11dc-8987-00042358e184}]
\Shell\AutoRun\command - ie.exe
\Shell\explore\Command - ie.exe
\Shell\open\Command - ie.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-23 02:03:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-04 19:13:23 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-04-04 15:58:01 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-03-25 15:58:25 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-02-13 23:44:45 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-05-19 15:09:13 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 12:50:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
Completion time: 2008-04-16 12:56:10
ComboFix-quarantined-files.txt 2008-04-16 16:55:06
ComboFix2.txt 2008-04-16 02:58:00
ComboFix3.txt 2007-01-03 16:53:41

Pre-Run: 15,300,694,016 bytes free
Post-Run: 15,297,089,536 bytes free
.
2008-04-16 04:08:56 --- E O F ---

#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:17 PM

Posted 16 April 2008 - 02:19 PM

Hello Rob,

Let's see if we can get rid of the remaining malware files another way :

Open Notepad and copy and paste the bold, blue text below in it:@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
C:\WINDOWS\system32\qvpdabuw.ini
C:\WINDOWS\system32\qtpbgejp.ini
C:\WINDOWS\system32\kownqxoq.ini
C:\WINDOWS\system32\htmrrcrt.ini
C:\WINDOWS\BMb352d595.xml
C:\WINDOWS\TEMP\mc21.tmp) DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
>>log.txt (
ECHO.
ECHO Deleting folders)
FOR %%I in (
C:\WINDOWS\system32\comz
C:\WINDOWS\system32\cb4
C:\WINDOWS\system32\bharebio18
C:\temp\wdlw14) DO (
IF EXIST %%I (
RD /S /Q %%I
IF EXIST %%I (
ECHO %%I not deleted>>log.txt
) ELSE (
ECHO %%I deleted>>log.txt)
) ELSE (
ECHO %%I not found>>log.txt))
START NOTEPAD.EXE log.txt


Save this as del.bat. Choose to save as "all files" and place it on your Desktop.
Doubleclick on it and post the content of the log file that opens in your next reply.

Now remove those registry entries like this :
Open Notepad and copy and paste the bold, blue text below in it:
(don't forget to copy and paste REGEDIT4)REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25ab7ff4-e22a-470b-8c67-821234cb5e1b}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63AB48C9-01A8-495C-8194-A715DB8A37A2}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C0136AD-4870-4C9C-B4BC-FD646308038B}]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]

Save this as fix.reg Choose to save as "all files" and place it on your Desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#10 Rob the Newbie

Rob the Newbie
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 16 April 2008 - 05:13 PM

Okay, the log file is:

Deleting files
C:\WINDOWS\system32\qvpdabuw.ini deleted
C:\WINDOWS\system32\qtpbgejp.ini deleted
C:\WINDOWS\system32\kownqxoq.ini deleted
C:\WINDOWS\system32\htmrrcrt.ini deleted
C:\WINDOWS\BMb352d595.xml deleted
C:\WINDOWS\TEMP\mc21.tmp not found

Deleting folders
C:\WINDOWS\system32\comz deleted
C:\WINDOWS\system32\cb4 deleted
C:\WINDOWS\system32\bharebio18 deleted
C:\temp\wdlw14 deleted

And I am about to run the registry file.

Do you think that is it? If anything goes wrong with the .reg file, I'll let you know.

Rob

#11 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:17 PM

Posted 17 April 2008 - 07:30 AM

Hello Rob,

I think we're nearly done here. :thumbsup:

Can you post a fresh HijackThis log please ?

If that looks good, we'll clean up whatever we used.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#12 Rob the Newbie

Rob the Newbie
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 17 April 2008 - 08:08 AM

Sure thing! Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:39 AM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Security Manager\Fws.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe
C:\Program Files\EasyDisk UFD Tool\USBTool.exe
C:\Program Files\EzButton\CplBCL50.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Bell\Security Manager\RPS.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\All Users\Desktop\HiJackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Security Manager\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [9382 UFD Monitor] C:\Program Files\EasyDisk UFD Tool\UFDTMon.exe
O4 - HKLM\..\Run: [9382 UFD Utility] C:\Program Files\EasyDisk UFD Tool\USBTool.exe
O4 - HKLM\..\Run: [CplBCL50] C:\Program Files\EzButton\CplBCL50.EXE
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sympatico Security Manager] C:\Program Files\Bell\Security Manager\RPS.exe
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Security Manager\IdxClnR.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Security Manager\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mdg.ca
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://F:\content\include\XPPatchInstaller.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137773602446
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://F:\Content\include\msSecUcd.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 12214 bytes

#13 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:17 PM

Posted 17 April 2008 - 08:23 AM

Hello Rob,

Your log looks good. :thumbsup:

You can remove all used tools and created folders.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your Java is still in need of updating. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u6.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windowsi586-p.exe to install the newest version.
No problems anymore ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#14 Rob the Newbie

Rob the Newbie
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 17 April 2008 - 10:46 PM

Looks good! I think it is solved! THANK-YOU!!!!

#15 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:17 PM

Posted 18 April 2008 - 02:14 AM

Glad we could help, Rob :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users