Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • This topic is locked This topic is locked
9 replies to this topic

#1 Fledge182

Fledge182

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 14 April 2008 - 10:40 AM

I've tried using Spybot S&D, Ad-aware 2007, and Avast! antivirus and they will typically say there are removing occurences of virtumonde yet it always seems to pop back up.

Deckard's System Scanner v20071014.68
Run by Nathan Heimbruch on 2008-04-14 10:28:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
80: 2008-04-14 15:28:13 UTC - RP1353 - Deckard's System Scanner Restore Point
79: 2008-04-14 04:26:19 UTC - RP1352 - System Checkpoint
78: 2008-04-12 22:36:24 UTC - RP1351 - Installed Ad-Aware 2007
77: 2008-04-12 03:00:43 UTC - RP1350 - Software Distribution Service 3.0
76: 2008-04-11 21:46:17 UTC - RP1349 - Last known good configuration


-- First Restore Point --
1: 2008-01-17 02:41:24 UTC - RP1274 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 12.25 GiB (less than 15%) free.


-- HijackThis (run as Nathan Heimbruch.exe) ------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-14 10:31:45
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Razer\Tarantula\razerhid.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Razer\Tarantula\razertra.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\Documents and Settings\Nathan Heimbruch\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {6d6cd6fb-2b97-7b9a-0d94-c3cdcdf169a2} - {2a961fdc-dc3c-49d0-a9b7-79b2bf6dc6d6} - C:\WINDOWS\SYSTEM32\ypfywepi.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll
O2 - BHO: (no name) - {B82F29E4-8368-4B14-9C00-5138C0D94034} - C:\WINDOWS\SYSTEM32\vtUlIawT.dll
O2 - BHO: (no name) - {CD982E0E-5FF4-473D-A5CE-57BBEA75A07C} - C:\WINDOWS\SYSTEM32\efcDwUOI.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Tarantula] C:\Program Files\Razer\Tarantula\razerhid.exe
O4 - HKLM\..\Run: [Windows live Messenger] msn.com
O4 - HKLM\..\Run: [BM67a510df] Rundll32.exe "C:\WINDOWS\system32\svdgmhkq.dll",s
O4 - HKLM\..\Run: [64962343] rundll32.exe "C:\WINDOWS\system32\vffruhqp.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
O4 - Startup: Shortcut to firefox.exe.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\messenger\msmsgs.exe
O15 - Trusted Zone: https://online.musicmatch.com (HKLM)
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} () - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144101441703
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} () - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: ddccy - C:\WINDOWS\system32\
O20 - Winlogon Notify: pmkjg - C:\WINDOWS\system32\pmkjg.dll (file missing)
O20 - Winlogon Notify: regw - C:\WINDOWS\msagent\CHARS\regw.dll (file missing)
O20 - Winlogon Notify: vtUlIawT - C:\WINDOWS\system32\vtUlIawT.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\system32\WRLogonNTF.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\SYSTEM32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\SYSTEM32\DRIVERS\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\SYSTEM32\LEXBCES.EXE
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
O23 - Service: NTLOAD - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe /name:"NTLOAD" /start:"C:\WINDOWS\system\driver\csrss.exe"
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe /name:"NTSVCMGR" /start:"C:\WINDOWS\system\driver\services.exe C:\WINDOWS\system\driver\ntauth.dll"
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe


--
End of file - 10171 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\backups\) -----------------------------

backup-20070927-131459-373 O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb030YYUS

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,71
.inf - inffile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.ini - inifile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.txt - txtfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,70


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NPPTNT - c:\windows\system32\npptnt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
R1 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R3 MRVW245 (Marvell TOPDOG 802.11n WLAN Driver for Windows XP (USB8x)) - c:\windows\system32\drivers\mrvw245.sys <Not Verified; Marvell Semiconductor, Inc; Device driver for Marvell 802.11n NIC>
R3 TarFltr (Razer Tarantula USB Keyboard) - c:\windows\system32\drivers\usbfltr.sys <Not Verified; Waytech Development, Inc.; Ortek USB Keypad>

S3 Alpham (Ideazon Merc Composite Keyboard Driver) - c:\windows\system32\drivers\alpham.sys <Not Verified; Ideazon Corporation; ZBoard® Keyboard Family>
S3 Alpham1 (Ideazon Merc USB Human Interface Device) - c:\windows\system32\drivers\alpham1.sys <Not Verified; Ideazon Corporation; ZBoard® Keyboard Family>
S3 Alpham2 (Ideazon Merc MM USB Human Interface Device) - c:\windows\system32\drivers\alpham2.sys <Not Verified; Ideazon Corporation; ZBoard® Keyboard Family>
S3 ATI Remote Wonder II - c:\windows\system32\drivers\atirwvd.sys <Not Verified; Jungo; WinDriver Device Driver>
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 NTBOOT (NTBOOTMGR) - c:\windows\system\driver\ntuser.exe (file missing)
S2 NTLOAD - c:\windows\system\driver\ntsrv.exe /name:"ntload" /start:"c:\windows\system\driver\csrss.exe" (file missing)
S2 NTSVCMGR - c:\windows\system\driver\ntsrv.exe /name:"ntsvcmgr" /start:"c:\windows\system\driver\services.exe c:\windows\system\driver\ntauth.dll" (file missing)
S3 x10nets (X10 Device Network Service) - c:\progra~1\atimul~1\remctrl\x10nets.exe (file missing)
S4 iPodService - c:\program files\ipod\bin\ipodservice.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-03-22 10:17:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-14 and 2008-04-14 -----------------------------

2008-04-14 10:30:56 218112 --a------ C:\Program Files\Nathan Heimbruch.exe <Not Verified; Soeperman Enterprises Ltd.; HijackThis>
2008-04-14 10:04:35 0 d-------- C:\Program Files\Safer Networking
2008-04-14 09:26:14 85056 --a------ C:\WINDOWS\system32\vffruhqp.dll
2008-04-14 09:20:14 92224 --a------ C:\WINDOWS\system32\ypfywepi.dll
2008-04-14 09:11:50 887 --a------ C:\WINDOWS\system32\tbassgjk.dll
2008-04-14 06:31:30 38400 --a------ C:\WINDOWS\system32\rqRKDwTj.dll
2008-04-14 04:15:53 38400 --a------ C:\WINDOWS\system32\awtttrsQ.dll
2008-04-14 04:11:19 38400 --a------ C:\WINDOWS\system32\yayvWqrq.dll
2008-04-14 03:53:34 38400 --a------ C:\WINDOWS\system32\pmnmmKeF.dll
2008-04-13 22:05:29 92736 --a------ C:\WINDOWS\system32\wlksefap.dll
2008-04-13 22:02:28 85568 -----n--- C:\WINDOWS\system32\dymgvqyy.dll
2008-04-13 21:50:27 95296 --a------ C:\WINDOWS\system32\svdgmhkq.dll
2008-04-13 12:36:17 92736 --a------ C:\WINDOWS\system32\gkvahvee.dll
2008-04-13 12:30:17 95296 --a------ C:\WINDOWS\system32\jurpmvgd.dll
2008-04-12 20:01:41 37888 --a------ C:\WINDOWS\system32\wvUoNGXN.dll
2008-04-12 19:32:43 37888 --a------ C:\WINDOWS\system32\geBrqPIy.dll
2008-04-12 18:56:16 37888 --a------ C:\WINDOWS\system32\efcDSKeb.dll
2008-04-12 18:37:34 37888 --a------ C:\WINDOWS\system32\opnkjJDs.dll
2008-04-12 18:35:36 691545 --a------ C:\WINDOWS\unins000.exe
2008-04-12 18:35:36 4656 --a------ C:\WINDOWS\unins000.dat
2008-04-12 17:36:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-12 17:30:02 92736 --a------ C:\WINDOWS\system32\tpawslaq.dll
2008-04-12 17:22:10 37888 --a------ C:\WINDOWS\system32\iifdcCvV.dll
2008-04-12 12:16:53 92736 --a------ C:\WINDOWS\system32\lbervokp.dll
2008-04-12 12:16:38 86592 --a------ C:\WINDOWS\system32\qrpxxhrn.dll
2008-04-12 12:16:25 94272 --a------ C:\WINDOWS\system32\quynautu.dll
2008-04-11 16:46:02 287916 --ahs---- C:\WINDOWS\system32\IOUwDcfe.ini2
2008-04-11 16:45:53 273408 --a------ C:\WINDOWS\system32\efcDwUOI.dll
2008-04-11 16:40:47 38400 --a------ C:\WINDOWS\system32\vtUlIawT.dll
2008-03-27 18:02:59 34410 --a------ C:\WINDOWS\scunin.dat
2008-03-27 18:02:58 967 --a------ C:\WINDOWS\ScUnin.pif
2008-03-27 18:02:58 94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2008-03-27 18:02:40 0 d-------- C:\Program Files\Starcraft
2008-03-19 21:06:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Smith Micro
2008-03-19 21:05:57 0 d-------- C:\Program Files\Smith Micro


-- Find3M Report ---------------------------------------------------------------

2008-04-14 09:34:38 0 d-------- C:\Program Files\Trillian
2008-04-14 09:16:28 0 d-------- C:\Documents and Settings\Nathan Heimbruch\Application Data\WeatherBug
2008-04-13 00:02:52 0 d-------- C:\Documents and Settings\Nathan Heimbruch\Application Data\BitTorrent
2008-04-12 19:18:03 0 d-------- C:\Program Files\TweakNow RegCleaner
2008-04-12 17:36:59 0 d-------- C:\Documents and Settings\Nathan Heimbruch\Application Data\Lavasoft
2008-04-12 17:36:28 0 d-------- C:\Program Files\Lavasoft
2008-04-12 17:35:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-11 15:22:22 39424 -r-hs---- C:\WINDOWS\msn.com
2008-03-31 15:52:34 140 --a------ C:\Documents and Settings\Nathan Heimbruch\Application Data\EV Nova Prefs.prf
2008-03-26 22:58:14 0 d-------- C:\Program Files\Winamp
2008-03-19 20:52:43 0 d-------- C:\Program Files\EV Nova


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2a961fdc-dc3c-49d0-a9b7-79b2bf6dc6d6}]
04/14/2008 09:20 AM 92224 --a------ C:\WINDOWS\system32\ypfywepi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B82F29E4-8368-4B14-9C00-5138C0D94034}]
04/11/2008 04:40 PM 38400 --a------ C:\WINDOWS\system32\vtUlIawT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD982E0E-5FF4-473D-A5CE-57BBEA75A07C}]
04/11/2008 04:46 PM 273408 --a------ C:\WINDOWS\system32\efcDwUOI.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [11/03/2004 10:10 PM]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [09/17/2003 11:43 AM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [11/03/2004 11:21 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 01:37 PM]
"P17Helper"="P17.dll" [05/03/2005 07:38 PM C:\WINDOWS\SYSTEM32\P17.dll]
"Tarantula"="C:\Program Files\Razer\Tarantula\razerhid.exe" [09/30/2006 04:48 PM]
"Windows live Messenger"="msn.com" [04/11/2008 03:22 PM C:\WINDOWS\msn.com]
"BM67a510df"="C:\WINDOWS\system32\svdgmhkq.dll" [04/13/2008 09:50 PM]
"64962343"="C:\WINDOWS\system32\vffruhqp.dll" [04/14/2008 09:26 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/19/2007 01:48 PM]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [04/07/2006 04:02 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

C:\Documents and Settings\Nathan Heimbruch\Start Menu\Programs\Startup\
DESKTOP.INI [3/20/2004 12:58:38 PM]
Shortcut to firefox.exe.lnk - C:\Program Files\Mozilla Firefox\firefox.exe [9/27/2007 1:27:45 PM]
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [12/11/2007 1:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [3/20/2004 12:58:38 PM]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe [9/22/2007 4:25:58 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B82F29E4-8368-4B14-9C00-5138C0D94034}"= C:\WINDOWS\system32\vtUlIawT.dll [04/11/2008 04:40 PM 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccy]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkjg]
C:\WINDOWS\system32\pmkjg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\regw]
C:\WINDOWS\msagent\CHARS\regw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUlIawT]
vtUlIawT.dll 04/11/2008 04:40 PM 38400 C:\WINDOWS\SYSTEM32\vtUlIawT.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\efcDwUOI

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
"C:\Program Files\ATI Multimedia\main\ATIDtct.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
"C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
"C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
"C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
"C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
Rundll32 P17.dll,P17Helper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"KodakCCS"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2fdf2cf6-13da-11d9-a4bc-806d6172696f}]
AutoRun\command- F:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1f099bb-211a-11d9-a4c5-00038a000015}]
AutoRun\command- G:\LaunchBF.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7cb4716-01c7-11d9-a3f5-806d6172696f}]
AutoRun\command- E:\dvd-rom.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 1ad2srvr-cpt-v1.com
127.0.0.1 www.1ad2srvr-cpt-v1.com
127.0.0.1 207-182-237-233.visionaire-us.com
127.0.0.1 www.207-182-237-233.visionaire-us.com
127.0.0.1 3721.com
127.0.0.1 www.3721.com
127.0.0.1 680180.net
127.0.0.1 www.680180.net
127.0.0.1 7search.com
127.0.0.1 www.7search.com

1088 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-14 10:32:18 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.20GHz
Percentage of Memory in Use: 19%
Physical Memory (total/avail): 3070.09 MiB / 2460.02 MiB
Pagefile Memory (total/avail): 4449.82 MiB / 3992.04 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1922.42 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 145.49 GiB total, 12.25 GiB free.
D: is CDROM (No Media)
E: is CDROM (UDF)
F: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - ST3160023AS - 149.05 GiB - 3 partitions
\PARTITION0 - Unknown - 62.72 MiB
\PARTITION1 (bootable) - Installable File System - 145.49 GiB - C:
\PARTITION2 - Unknown - 3.5 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: avast! antivirus 4.8.1169 [VPS 080414-0] v4.8.1169 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Scout\\WinZephyr\\WinZephyr.exe"="C:\\Program Files\\Scout\\WinZephyr\\WinZephyr.exe:*:Enabled:Zephyr for 32-bit Windows (ISU mods)"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"
"C:\\Program Files\\ABC\\abc.exe"="C:\\Program Files\\ABC\\abc.exe:*:Enabled:abc"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"="C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mmjb.exe"="C:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mmjb.exe:*:Enabled:Musicmatch Jukebox"
"C:\\Program Files\\MSN\\MSNCoreFiles\\MSN6.EXE"="C:\\Program Files\\MSN\\MSNCoreFiles\\MSN6.EXE:*:Enabled:MSN Explorer"
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"="C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe:*:Enabled:Zoo Tycoon 2 Executable"
"C:\\Program Files\\eXeem\\eXeem.exe"="C:\\Program Files\\eXeem\\eXeem.exe:*:Enabled:eXeem"
"C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Program Files\\EA GAMES\\Command and Conquer Generals\\patchget.dat"="C:\\Program Files\\EA GAMES\\Command and Conquer Generals\\patchget.dat:*:Enabled:patchgrabber"
"C:\\Program Files\\EA GAMES\\Command & Conquer Generals Zero Hour\\patchget.dat"="C:\\Program Files\\EA GAMES\\Command & Conquer Generals Zero Hour\\patchget.dat:*:Enabled:patchgrabber"
"C:\\Program Files\\Ares Lite Edition\\Ares.exe"="C:\\Program Files\\Ares Lite Edition\\Ares.exe:*:Enabled:Ares"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\messenger\\msmsgs.exe"="C:\\Program Files\\messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"="C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\Documents and Settings\\Nathan Heimbruch\\Desktop\\WoW-Intro-enUS-downloader.exe"="C:\\Documents and Settings\\Nathan Heimbruch\\Desktop\\WoW-Intro-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.6.1.4544-to-1.7.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.6.1.4544-to-1.7.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"="C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe:*:Enabled:PlayOnline Viewer"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.6.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.6.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Microsoft Games\\MechWarrior Mercenaries Downloadable Trial\\MW4Mercs.exe"="C:\\Program Files\\Microsoft Games\\MechWarrior Mercenaries Downloadable Trial\\MW4Mercs.exe:*:Enabled:MechWarrior IV"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"C:\\Program Files\\Ares Lite\\Ares.exe"="C:\\Program Files\\Ares Lite\\Ares.exe:*:Enabled:Ares Lite"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 Warlords"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Pitboss"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. The whole world can talk for free."
"C:\\Program Files\\Ares Ultra\\Ares Ultra.exe"="C:\\Program Files\\Ares Ultra\\Ares Ultra.exe:*:Enabled:Ares Ultra p2p for windows"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"="C:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe:*:Enabled:lotroclient"
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"="C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat:*:Enabled:The Battle for Middle-earth™ II"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword Pitboss"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Nathan Heimbruch\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=FLEDGE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HES_DOMAIN=iastate.edu
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Nathan Heimbruch
INCLUDE=C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\include\
LIB=C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\Lib\
LOGONSERVER=\\FLEDGE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\PROGRA~1\COMMON~1\SONICS~1\;C:\PROGRA~1\KERB;C:\Program Files\ATI Technologies\ATI.ACE\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\NATHAN~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\NATHAN~1\LOCALS~1\Temp
USERDOMAIN=FLEDGE
USERNAME=Nathan Heimbruch
USERPROFILE=C:\Documents and Settings\Nathan Heimbruch
VS71COMNTOOLS=C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\Tools\
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Nathan Heimbruch (admin)
Da Fam
Administrator (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Program\SETUP.EXE" /S /U /W
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> MsiExec.exe /X{27579b3c-5470-4496-be6c-0c872674f19f}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32B4B536-4443-42F0-9676-98373BE9114F}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9194237B-7B58-40B4-A739-184AD59531A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C64409FA-42A7-49C6-837A-D2E5D813BD57}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI Catalyst Control Center --> MsiExec.exe /I{F08DAD55-0EB9-46FD-B083-6AC2B3B816B7}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Decoder --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{3A7FE907-65AE-4D6B-A864-B515C71B078C} /l1033
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
ATI Multimedia Center 9.02.2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{8988F5D0-C83F-41F4-B41B-86031F9B37F5} /l1033
ATI Remote Wonder 2.3 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{3347F781-9C89-4C9B-B471-B1FFC3BC4A84} /l1033
Audacity 1.2.4 --> "C:\Program Files\Audacity\unins000.exe"
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Azureus --> C:\Program Files\Azureus\Uninstall.exe
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
BitTorrent 6.0 --> C:\Program Files\BitTorrent\uninst.exe
Broadcom Advanced Control Suite 2 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2E086814-7392-4E0F-ADB8-54A81E47406C} /l1033
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Command & Conquer 3 --> MsiExec.exe /I{B0C30E93-D3D9-4F04-A2AC-54749B573275}
Creative EAX Settings --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C64409FA-42A7-49C6-837A-D2E5D813BD57}\setup.exe" -l0x9 /remove
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\setup.exe" -l0x9 /remove/remove/remove
Creative Speaker Settings --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32B4B536-4443-42F0-9676-98373BE9114F}\setup.exe" -l0x9 /remove
D-Link Wireless N USB Adapter DWA-130 --> C:\Program Files\InstallShield Installation Information\{12556CE0-804A-40B7-8054-BD666764ED36}\setup.exe -runfromtemp -l0x0009 -removeonly
D-Link Wireless N USB Adapter DWA-130 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A385AA5D-4B9C-4BB4-A3D9-8BA006D6E831}\setup.exe" -l0x9 -removeonly
DA920EN --> MsiExec.exe /X{C1E5DF32-8248-4347-908C-E030EDAE4368}
DAEMON Tools --> MsiExec.exe /I{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}
DAO --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
Dell AIO Printer A920 --> C:\WINDOWS\System32\spool\drivers\w32x86\3\DLBKUN5C.EXE -dDell AIO Printer A920
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Media Experience --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe" -uninstall
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Dell Support 5.0.0 (766) --> rundll32 C:\PROGRA~1\DELLSU~1\AUInst.dll,ExUninstall
Device Control --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9194237B-7B58-40B4-A739-184AD59531A2}\setup.exe" -l0x9 /remove
Direct Show Ogg Vorbis Filter (remove only) --> "C:\WINDOWS\system32\OggDSuninst.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSCT --> MsiExec.exe /I{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}
ESSEMAIL --> MsiExec.exe /I{FEDE2483-87B7-44C1-A5BB-D75AEB8B6340}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSSONIC --> MsiExec.exe /I{4F677FC7-7AA8-412B-A957-F13CBE1C7331}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
ESSTUTOR --> MsiExec.exe /I{CA60320D-6A16-49C8-A34F-84EEF4799567}
ESSvpaht --> MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot --> MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
EV Nova (remove only) --> "C:\Program Files\EV Nova\uninstall.exe"
EV Nova (remove only) --> "C:\Program Files\EV Nova\uninstall.exe"
GameSpy Arcade --> C:\PROGRA~1\GAMESP~1\UNWISE.EXE C:\PROGRA~1\GAMESP~1\INSTALL.LOG
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Guild Wars --> "C:\Program Files\Guild Wars\Gw.exe" -uninstall
HijackThis 1.99.1 --> C:\Program Files\HijackThis.exe /uninstall
HLPIndex --> MsiExec.exe /I{38441BE7-79B0-42B8-8297-833704F949FE}
HLPSFO --> MsiExec.exe /I{8DD94CA3-BCD2-49C0-B537-F3B5D95FF0C8}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel Application Accelerator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\Setup.exe" -l0409 -INTELUNINST
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
Jasc Paint Shop Pro 8 Dell Edition --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140011_801fae\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Macromedia Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Money 2004 --> MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft Money 2004 System Pack --> MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ .NET Standard 2003 - English --> "C:\Program Files\Microsoft Visual Studio .NET 2003\Setup\Visual C++ .NET Standard 2003 - English\setup.exe" /MaintMode
Modem Event Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Modem On Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Mozilla Firefox (2.0.0.13) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
MSDN Library for Visual Studio .NET 2003 --> MsiExec.exe /I{5757AE1A-1DB4-4898-9806-09F77FBD5E57}
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
Oblivion - Horse Armor Pack --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3ABEBD00-299D-4DCA-967F-B912163AB5EA}\setup.exe" -l0x9 -removeonly
Oblivion - Knights of the Nine --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14C87AA7-08E6-419F-A165-998EBE5023D7}\setup.exe" -l0x9 -removeonly
Oblivion - Mehrunes Razor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF295F5C-7B57-47AA-8889-6B3E8E214E89}\setup.exe" -l0x9 -removeonly
Oblivion - Orrery --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC425CFC-EE78-4A91-AA25-3BFA65B75364}\setup.exe" -l0x9 -removeonly
Oblivion - Spell Tomes --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{16D919E6-F019-4E15-BFBE-4A85EF19DA57}\setup.exe" -l0x9 -removeonly
Oblivion - Thieves Den --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FFFFFD17-B460-41EB-93F1-C48ABAD63828}\setup.exe" -l0x9 -removeonly
Oblivion - Vile Lair --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{520F4B09-3A51-47A2-82B0-9FF1DC2D20FA}\setup.exe" -l0x9 -removeonly
Oblivion - Wizard's Tower --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F2E3D62-8B8C-448F-8900-451325E50948}\setup.exe" -l0x9 -removeonly
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK --> MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
PopCap Browser Plugin --> C:\Program Files\PopCap Games\PopCap Browser Plugin\Uninstall.exe
PowerDVD 5.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
Razer Tarantula --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{655B9514-3963-490B-9EE1-431E80444889}\Setup.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RunAlyzer --> "C:\Program Files\Safer Networking\RunAlyzer\unins000.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
Sid Meier's Civilization 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}\setup.exe" -l0x9 -removeonly
Sid Meier's Civilization 4 - Beyond the Sword --> C:\Program Files\InstallShield Installation Information\{32E4F0D2-C135-475E-A841-1D59A0D22989}\setup.exe -runfromtemp -l0x0009 -removeonly
Sid Meier's Civilization 4 - Warlords --> C:\Program Files\InstallShield Installation Information\{3E4B349F-10B5-4586-9D99-489A90A8B228}\setup.exe -runfromtemp -l0x0009 -removeonly
Sid Meier's Pirates! --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{1632FD86-1BA4-4FC4-8B25-A8C655D63F68} /l1033
SKIN0001 --> MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic MyDVD --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Sound Blaster Live! 24-bit --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB481CC-F57C-4397-81A0-DADD22257047}\SETUP.EXE" -l0x9
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
StuffIt 12 --> MsiExec.exe /X{9ED3C484-D002-4D4D-9BF3-C3DF9048EE7D}
The Battle for Middle-earth ™ II --> C:\Program Files\Electronic Arts\The Battle for Middle-earth ™ II\EAUninstall.exe
Tranquillity 1.0 --> "C:\Program Files\Tranquillity\unins000.exe"
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
TweakNow RegCleaner --> "C:\Program Files\TweakNow RegCleaner\unins000.exe"
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
WeatherBug --> C:\PROGRA~1\AWS\WEATHE~1\REMOVE.EXE C:\PROGRA~1\AWS\WEATHE~1\INSTALL.LOG
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
Zoo Tycoon 2 - Dino Danger Pack --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{F568B133-170C-4818-B06A-712C6D91B9F7}


-- Application Event Log -------------------------------------------------------

Event Record #/Type2550 / Error
Event Submitted/Written: 04/14/2008 10:31:55 AM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Event Record #/Type2549 / Error
Event Submitted/Written: 04/14/2008 10:20:13 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application RunAlyzer.exe, version 0.7.3.13, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2518 / Error
Event Submitted/Written: 04/13/2008 02:00:26 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module vtuliawt.dll, version 0.0.0.0, fault address 0x00003cb6.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type2499 / Error
Event Submitted/Written: 04/12/2008 07:38:39 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.31114, faulting module efcdwuoi.dll, version 0.0.0.0, fault address 0x0002f95c.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type2474 / Warning
Event Submitted/Written: 04/11/2008 10:04:22 PM
Event ID/Source: 40 / WinMgmt
Event Description:
WMI ADAP was unable to create the object Win32_PerfRawData_ASPNET_2050727_ASPNETAppsv2050727 for Performance Library ASP.NET_2.0.50727 because error 0x80041001 was returned



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type22779 / Error
Event Submitted/Written: 04/14/2008 09:41:44 AM
Event ID/Source: 1000 / Dhcp
Event Description:
Your computer has lost the lease to its IP address 205.237.175.77 on the
Network Card with network address 001B116EB00E.

Event Record #/Type22778 / Warning
Event Submitted/Written: 04/14/2008 09:41:44 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001B116EB00E. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type22777 / Warning
Event Submitted/Written: 04/14/2008 09:12:03 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type22775 / Warning
Event Submitted/Written: 04/14/2008 09:10:15 AM / 04/14/2008 09:10:42 AM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type22770 / Error
Event Submitted/Written: 04/14/2008 05:19:25 AM
Event ID/Source: 31008 / ipnathlp
Event Description:
The DNS proxy agent was unable to read the local list of name-resolution
servers from the registry.
The data is the error code.



-- End of Deckard's System Scanner: finished at 2008-04-14 10:32:18 ------------

BC AdBot (Login to Remove)

 


#2 Fledge182

Fledge182
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 15 April 2008 - 11:11 AM

Just an update on some new problems. I've tried running spybot again and it now finds virtumonde(1-6 entries) and virtumonde.dll(14-18) when it used to just find virtumonde. When i try to repair the problems spybot freezes after fixing 2 or 3 problems then freezes and my cpu usage goes to and stays @ 100% with the bulk of the processing power going to mdm.exe. i am able to close spybot through the task mananger and can get the usage back to normal ranges by ending mdm.exe. i've attempted to fix the problem several times through spybot, adaware and avast with no lasting luck.
Also both firefox and internet explorer are not loading several pages and taking long load times on others. I've tried other computers using the same internet connection and they do not have the same problems.

Edited by Fledge182, 15 April 2008 - 11:15 AM.


#3 Fledge182

Fledge182
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 16 April 2008 - 09:57 AM

Another update of problems. I just had internet explorer start "replicating", i closed a window and it started cascading windows of the same page over and over. i tried to stop it by holding alt+4 but that just kept it @ the current amount of windows. Total windows reached over 60 before i was able to get the computer shut off. I'm still getting the pop ups also.
I've also now run vundofix. It found 4 files but i am still having problems after a second scan came up clean.

Edited by Fledge182, 16 April 2008 - 10:31 AM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:30 PM

Posted 16 April 2008 - 11:34 AM

Hello Fledge182,

Welcome to Bleeping Computer :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Fledge182

Fledge182
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 17 April 2008 - 04:17 PM

here is the combofix and new hijack this log.

ComboFix 08-04-16.5 - Nathan Heimbruch 2008-04-17 15:56:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2596 [GMT -5:00]
Running from: C:\Documents and Settings\Nathan Heimbruch\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\blunjbae.ini
C:\WINDOWS\system32\byXPjhIa.dll
C:\WINDOWS\system32\cbXNGaAP.dll
C:\WINDOWS\system32\cbXOGVmk.dll
C:\WINDOWS\system32\ddcDvsPg.dll
C:\WINDOWS\system32\eabjnulb.dll
C:\WINDOWS\system32\ecdnqbol.dll
C:\WINDOWS\system32\efcDSKeb.dll
C:\WINDOWS\system32\geBrqPIy.dll
C:\WINDOWS\system32\iifdcCvV.dll
C:\WINDOWS\SYSTEM32\IOUwDcfe.ini
C:\WINDOWS\SYSTEM32\IOUwDcfe.ini2
C:\WINDOWS\system32\kkpnonli.dll
C:\WINDOWS\SYSTEM32\kmVGOXbc.ini
C:\WINDOWS\SYSTEM32\kmVGOXbc.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mwijdrtk.dll
C:\WINDOWS\SYSTEM32\nrhxxprq.ini
C:\WINDOWS\system32\opnkjJDs.dll
C:\WINDOWS\SYSTEM32\pcsiprhd.ini
C:\WINDOWS\SYSTEM32\qtwhxoxe.ini
C:\WINDOWS\system32\T1
C:\WINDOWS\system32\T2
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\tbassgjk.dll
C:\WINDOWS\SYSTEM32\vklslqpr.ini
C:\WINDOWS\system32\vtUlIawT.dll
C:\WINDOWS\system32\wkfvrqlt.dll
C:\WINDOWS\system32\wvUoNGXN.dll
C:\WINDOWS\SYSTEM32\yyqvgmyd.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTLOAD
-------\Service_NTLOAD


((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.

2008-04-16 10:46 . 2008-04-16 12:16 714 --ahs---- C:\WINDOWS\SYSTEM32\gajevhco.ini
2008-04-16 10:05 . 2008-04-16 10:18 <DIR> d-------- C:\VundoFix Backups
2008-04-15 22:02 . 2008-04-16 10:14 654 --ahs---- C:\WINDOWS\SYSTEM32\ojoorela.ini
2008-04-15 20:20 . 2008-04-15 21:59 414 --ahs---- C:\WINDOWS\SYSTEM32\lgsppsdk.ini
2008-04-15 20:14 . 2008-04-15 20:14 <DIR> d-------- C:\Program Files\Metacafe
2008-04-15 20:14 . 2008-04-15 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Metacafe
2008-04-15 12:17 . 2008-04-15 19:45 594 --ahs---- C:\WINDOWS\SYSTEM32\tjbqtyjv.ini
2008-04-15 10:15 . 1980-04-15 11:03 474 --ahs---- C:\WINDOWS\SYSTEM32\hadvqlyf.ini
2008-04-15 09:31 . 2008-04-15 09:40 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 15:08 . 1980-04-15 09:01 354 --ahs---- C:\WINDOWS\SYSTEM32\suhfdbjs.ini
2008-04-14 13:16 . 2008-04-14 13:16 0 --a------ C:\WINDOWS\iPlayer.INI
2008-04-14 11:30 . 2008-04-14 11:30 <DIR> d-------- C:\Program Files\InterActual
2008-04-14 10:30 . 2005-02-16 11:06 218,112 --a------ C:\Program Files\Nathan Heimbruch.exe
2008-04-14 10:27 . 2008-04-14 10:27 <DIR> d-------- C:\Deckard
2008-04-14 10:04 . 2008-04-14 10:04 <DIR> d-------- C:\Program Files\Safer Networking
2008-04-14 09:26 . 1980-04-14 13:24 708,972 --ahs---- C:\WINDOWS\SYSTEM32\pqhurffv.ini
2008-04-13 12:42 . 1980-04-13 20:48 708,603 --ahs---- C:\WINDOWS\SYSTEM32\mxbfbcgy.ini
2008-04-13 12:30 . 2008-04-16 10:25 101,139 --a------ C:\WINDOWS\BM67a510df.xml
2008-04-12 18:35 . 2008-04-12 18:40 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-12 18:35 . 2008-04-12 18:46 4,656 --a------ C:\WINDOWS\unins000.dat
2008-04-12 17:36 . 2008-04-12 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-10 09:31 . 2008-03-29 13:31 75,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswSP.sys
2008-04-10 09:31 . 2008-03-29 13:35 20,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswFsBlk.sys
2008-03-27 18:02 . 2008-03-31 23:34 <DIR> d-------- C:\Program Files\Starcraft
2008-03-27 18:02 . 2008-03-27 18:05 94,208 --a------ C:\WINDOWS\ScUnin.exe
2008-03-27 18:02 . 2008-03-27 18:05 34,410 --a------ C:\WINDOWS\scunin.dat
2008-03-27 18:02 . 2008-03-27 18:05 967 --a------ C:\WINDOWS\ScUnin.pif
2008-03-19 21:06 . 2008-03-19 21:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Smith Micro
2008-03-19 21:05 . 2008-03-19 21:05 <DIR> d-------- C:\Program Files\Smith Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 20:56 --------- d-----w C:\Program Files\Trillian
2008-04-17 20:47 --------- d-----w C:\Documents and Settings\Nathan Heimbruch\Application Data\WeatherBug
2008-04-15 23:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-15 23:31 --------- d-----w C:\Program Files\Electronic Arts
2008-04-15 23:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-15 23:28 --------- d-----w C:\Program Files\Azureus
2008-04-15 15:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-15 15:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-13 05:02 --------- d-----w C:\Documents and Settings\Nathan Heimbruch\Application Data\BitTorrent
2008-04-13 00:18 --------- d-----w C:\Program Files\TweakNow RegCleaner
2008-04-12 22:36 --------- d-----w C:\Program Files\Lavasoft
2008-04-12 22:36 --------- d-----w C:\Documents and Settings\Nathan Heimbruch\Application Data\Lavasoft
2008-03-29 18:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 18:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 18:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 18:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-27 03:58 --------- d-----w C:\Program Files\Winamp
2008-03-20 01:52 --------- d-----w C:\Program Files\EV Nova
2008-02-17 17:33 --------- d-----w C:\Documents and Settings\Da Fam\Application Data\Talkback
2007-10-01 23:10 65 ----a-w C:\Documents and Settings\Nathan Heimbruch\Set.dll
2005-02-16 16:06 218,112 ----a-w C:\Program Files\HijackThis.exe
2005-05-05 22:25 382 --sha-w C:\WINDOWS\MSAGENT\CHARS\wger.bak1
2005-05-18 15:25 521,089 --sha-w C:\WINDOWS\MSAGENT\CHARS\wger.bak2
2005-05-19 05:19 522,303 --sha-w C:\WINDOWS\MSAGENT\CHARS\wger.ini2
2004-10-22 03:04 56 --sh--r C:\WINDOWS\SYSTEM32\A8E9B0E66F.sys
2005-12-09 20:40 371,190 --sha-w C:\WINDOWS\SYSTEM32\bcbeg.bak1
2006-03-29 14:48 383,911 --sha-w C:\WINDOWS\SYSTEM32\gjkmp.bak1
2006-04-05 21:48 372,942 --sha-w C:\WINDOWS\SYSTEM32\gjkmp.bak2
2005-10-14 02:55 347,255 --sha-w C:\WINDOWS\SYSTEM32\onnmp.bak1
2005-11-07 16:44 233,953 --sha-w C:\WINDOWS\SYSTEM32\onnmp.bak2
2005-11-07 17:10 233,958 --sha-w C:\WINDOWS\SYSTEM32\onnmp.ini2
2005-09-22 19:27 422,470 --sha-w C:\WINDOWS\SYSTEM32\stvwa.bak1
2005-10-10 20:13 341,637 --sha-w C:\WINDOWS\SYSTEM32\stvwa.bak2
2005-10-11 01:51 342,384 --sha-w C:\WINDOWS\SYSTEM32\stvwa.ini2
2005-11-08 04:00 6,425 --sha-w C:\WINDOWS\SYSTEM32\yccdd.bak1
2005-11-09 13:09 262,367 --sha-w C:\WINDOWS\SYSTEM32\yccdd.bak2
2005-11-10 03:11 261,863 --sha-w C:\WINDOWS\SYSTEM32\yccdd.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A467DFC1-0DE2-454A-8E78-4071200E8836}]
C:\WINDOWS\system32\efcDwUOI.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 13:48 68856]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-04-07 16:02 1343488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-03 22:10 344064]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-03 23:21 32768]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\SYSTEM32\P17.dll]
"Tarantula"="C:\Program Files\Razer\Tarantula\razerhid.exe" [2006-09-30 16:48 176128]
"BM67a510df"="C:\WINDOWS\system32\neurccwp.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-03 23:21 32768]

C:\Documents and Settings\Nathan Heimbruch\Start Menu\Programs\Startup\
Shortcut to firefox.exe.lnk - C:\Program Files\Mozilla Firefox\firefox.exe [2007-09-27 13:27:45 7660656]
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2007-12-11 01:00:00 1873280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Metacafe.lnk - C:\Program Files\Metacafe\MetacafeAgent.exe [2007-09-04 10:04:34 149256]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe [2007-09-22 16:25:58 20525056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccy]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkjg]
C:\WINDOWS\system32\pmkjg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\regw]
C:\WINDOWS\msagent\CHARS\regw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUlIawT]
vtUlIawT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--a------ 2004-09-22 23:16 69707 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
--a------ 2004-07-08 11:49 196608 C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
--a------ 2003-05-02 18:46 270336 C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-03-15 01:04 122933 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-11 11:43 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2004-06-29 11:23 135168 C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-05-10 16:04 11776 C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 19:38 64512 C:\WINDOWS\SYSTEM32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 20:15 290816 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-11-10 23:15 111816 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"KodakCCS"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mmjb.exe"=
"C:\\Program Files\\MSN\\MSNCoreFiles\\MSN6.EXE"=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"=
"C:\\Program Files\\messenger\\msmsgs.exe"=
"C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.6.1.4544-to-1.7.0-enUS-downloader.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.6.0-enUS-downloader.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"6881:TCP"= 6881:TCP:Blizzard Downloader
"6882:TCP"= 6882:TCP:Blizzard Downloader
"6883:TCP"= 6883:TCP:Blizzard Downloader
"6884:TCP"= 6884:TCP:Blizzard Downloader
"6885:TCP"= 6885:TCP:Blizzard Downloader
"6886:TCP"= 6886:TCP:Blizzard Downloader

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
R1 NPPTNT;NPPTNT;C:\WINDOWS\System32\npptNT.sys [2003-07-22 01:14]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
R2 Stuffit Archive Name Service;Stuffit Archive Name Service;"C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe" [2008-01-31 08:37]
R3 TarFltr;Razer Tarantula USB Keyboard;C:\WINDOWS\system32\Drivers\UsbFltr.sys [2006-09-27 15:48]
S2 NTBOOT;NTBOOTMGR;C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe []
S3 Alpham;Ideazon Merc Composite Keyboard Driver;C:\WINDOWS\system32\DRIVERS\Alpham.sys [2005-12-04 14:55]
S3 Alpham1;Ideazon Merc USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham1.sys [2007-03-20 10:49]
S3 Alpham2;Ideazon Merc MM USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham2.sys [2007-03-20 10:49]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1f099bb-211a-11d9-a4c5-00038a000015}]
\Shell\AutoRun\command - G:\LaunchBF.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-22 15:17:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 16:04:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Razer\Tarantula\razertra.exe
.
**************************************************************************
.
Completion time: 2008-04-17 16:10:10 - machine was rebooted [Nathan Heimbruch]
ComboFix-quarantined-files.txt 2008-04-17 21:10:05

Pre-Run: 23,680,200,704 bytes free
Post-Run: 23,627,694,080 bytes free
.
2008-04-12 03:03:39 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:42 PM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Razer\Tarantula\razerhid.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
C:\Program Files\Razer\Tarantula\razertra.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Nathan Heimbruch\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {A467DFC1-0DE2-454A-8E78-4071200E8836} - C:\WINDOWS\system32\efcDwUOI.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Tarantula] C:\Program Files\Razer\Tarantula\razerhid.exe
O4 - HKLM\..\Run: [BM67a510df] Rundll32.exe "C:\WINDOWS\system32\neurccwp.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
O4 - Startup: Shortcut to firefox.exe.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144101441703
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - Winlogon Notify: ddccy - C:\WINDOWS\
O20 - Winlogon Notify: pmkjg - C:\WINDOWS\system32\pmkjg.dll (file missing)
O20 - Winlogon Notify: regw - C:\WINDOWS\msagent\CHARS\regw.dll (file missing)
O20 - Winlogon Notify: vtUlIawT - vtUlIawT.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe (file missing)
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 8664 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:30 PM

Posted 17 April 2008 - 04:26 PM

Hello,

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {A467DFC1-0DE2-454A-8E78-4071200E8836} - C:\WINDOWS\system32\efcDwUOI.dll (file missing)
O4 - HKLM\..\Run: [BM67a510df] Rundll32.exe "C:\WINDOWS\system32\neurccwp.dll",s
O20 - Winlogon Notify: ddccy - C:\WINDOWS\
O20 - Winlogon Notify: pmkjg - C:\WINDOWS\system32\pmkjg.dll (file missing)
O20 - Winlogon Notify: regw - C:\WINDOWS\msagent\CHARS\regw.dll (file missing)
O20 - Winlogon Notify: vtUlIawT - vtUlIawT.dll (file missing)
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntsrv.exe (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

Your Java is way out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6u5.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\SYSTEM32\pqhurffv.ini
C:\WINDOWS\SYSTEM32\mxbfbcgy.ini
C:\WINDOWS\BM67a510df.xml
C:\WINDOWS\SYSTEM32\suhfdbjs.ini
C:\WINDOWS\SYSTEM32\tjbqtyjv.ini
C:\WINDOWS\SYSTEM32\hadvqlyf.ini
C:\WINDOWS\SYSTEM32\ojoorela.ini
C:\WINDOWS\SYSTEM32\lgsppsdk.ini
C:\WINDOWS\SYSTEM32\gajevhco.ini
C:\WINDOWS\SYSTEM32\bcbeg.bak1
C:\WINDOWS\SYSTEM32\gjkmp.bak1
C:\WINDOWS\SYSTEM32\gjkmp.bak2
C:\WINDOWS\SYSTEM32\onnmp.bak1
C:\WINDOWS\SYSTEM32\onnmp.bak2
C:\WINDOWS\SYSTEM32\onnmp.ini2
C:\WINDOWS\SYSTEM32\stvwa.bak1
C:\WINDOWS\SYSTEM32\stvwa.bak2
C:\WINDOWS\SYSTEM32\stvwa.ini2
C:\WINDOWS\SYSTEM32\yccdd.bak1
C:\WINDOWS\SYSTEM32\yccdd.bak2
C:\WINDOWS\SYSTEM32\yccdd.ini2


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. How is it running now please? :thumbsup:

Thanks.
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Fledge182

Fledge182
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 17 April 2008 - 05:02 PM

Here are the new logs. Since running i haven't noticed any popups or some random error msgs i would sometimes get on start up about missing files(ones that i think spybot or vundofix and just deleted). I'll post something new if i still have problems.

ComboFix 08-04-16.5 - Nathan Heimbruch 2008-04-17 16:51:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2615 [GMT -5:00]
Running from: C:\Documents and Settings\Nathan Heimbruch\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nathan Heimbruch\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM67a510df.xml
C:\WINDOWS\SYSTEM32\bcbeg.bak1
C:\WINDOWS\SYSTEM32\gajevhco.ini
C:\WINDOWS\SYSTEM32\gjkmp.bak1
C:\WINDOWS\SYSTEM32\gjkmp.bak2
C:\WINDOWS\SYSTEM32\hadvqlyf.ini
C:\WINDOWS\SYSTEM32\lgsppsdk.ini
C:\WINDOWS\SYSTEM32\mxbfbcgy.ini
C:\WINDOWS\SYSTEM32\ojoorela.ini
C:\WINDOWS\SYSTEM32\onnmp.bak1
C:\WINDOWS\SYSTEM32\onnmp.bak2
C:\WINDOWS\SYSTEM32\onnmp.ini2
C:\WINDOWS\SYSTEM32\pqhurffv.ini
C:\WINDOWS\SYSTEM32\stvwa.bak1
C:\WINDOWS\SYSTEM32\stvwa.bak2
C:\WINDOWS\SYSTEM32\stvwa.ini2
C:\WINDOWS\SYSTEM32\suhfdbjs.ini
C:\WINDOWS\SYSTEM32\tjbqtyjv.ini
C:\WINDOWS\SYSTEM32\yccdd.bak1
C:\WINDOWS\SYSTEM32\yccdd.bak2
C:\WINDOWS\SYSTEM32\yccdd.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Guest\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\BM67a510df.xml
C:\WINDOWS\SYSTEM32\bcbeg.bak1
C:\WINDOWS\SYSTEM32\gajevhco.ini
C:\WINDOWS\SYSTEM32\gjkmp.bak1
C:\WINDOWS\SYSTEM32\gjkmp.bak2
C:\WINDOWS\SYSTEM32\hadvqlyf.ini
C:\WINDOWS\SYSTEM32\lgsppsdk.ini
C:\WINDOWS\SYSTEM32\mxbfbcgy.ini
C:\WINDOWS\SYSTEM32\ojoorela.ini
C:\WINDOWS\SYSTEM32\onnmp.bak1
C:\WINDOWS\SYSTEM32\onnmp.bak2
C:\WINDOWS\SYSTEM32\onnmp.ini2
C:\WINDOWS\SYSTEM32\pqhurffv.ini
C:\WINDOWS\SYSTEM32\stvwa.bak1
C:\WINDOWS\SYSTEM32\stvwa.bak2
C:\WINDOWS\SYSTEM32\stvwa.ini2
C:\WINDOWS\SYSTEM32\suhfdbjs.ini
C:\WINDOWS\SYSTEM32\tjbqtyjv.ini
C:\WINDOWS\SYSTEM32\yccdd.bak1
C:\WINDOWS\SYSTEM32\yccdd.bak2
C:\WINDOWS\SYSTEM32\yccdd.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.

2008-04-17 16:49 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-04-17 16:48 . 2008-04-17 16:48 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-16 10:05 . 2008-04-16 10:18 <DIR> d-------- C:\VundoFix Backups
2008-04-15 20:14 . 2008-04-15 20:14 <DIR> d-------- C:\Program Files\Metacafe
2008-04-15 20:14 . 2008-04-15 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Metacafe
2008-04-15 09:31 . 2008-04-15 09:40 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 13:16 . 2008-04-14 13:16 0 --a------ C:\WINDOWS\iPlayer.INI
2008-04-14 11:30 . 2008-04-14 11:30 <DIR> d-------- C:\Program Files\InterActual
2008-04-14 10:30 . 2005-02-16 11:06 218,112 --a------ C:\Program Files\Nathan Heimbruch.exe
2008-04-14 10:27 . 2008-04-14 10:27 <DIR> d-------- C:\Deckard
2008-04-14 10:04 . 2008-04-14 10:04 <DIR> d-------- C:\Program Files\Safer Networking
2008-04-12 18:35 . 2008-04-12 18:40 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-12 18:35 . 2008-04-12 18:46 4,656 --a------ C:\WINDOWS\unins000.dat
2008-04-12 17:36 . 2008-04-12 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-10 09:31 . 2008-03-29 13:31 75,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswSP.sys
2008-04-10 09:31 . 2008-03-29 13:35 20,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswFsBlk.sys
2008-03-27 18:02 . 2008-03-31 23:34 <DIR> d-------- C:\Program Files\Starcraft
2008-03-27 18:02 . 2008-03-27 18:05 94,208 --a------ C:\WINDOWS\ScUnin.exe
2008-03-27 18:02 . 2008-03-27 18:05 34,410 --a------ C:\WINDOWS\scunin.dat
2008-03-27 18:02 . 2008-03-27 18:05 967 --a------ C:\WINDOWS\ScUnin.pif
2008-03-19 21:06 . 2008-03-19 21:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Smith Micro
2008-03-19 21:05 . 2008-03-19 21:05 <DIR> d-------- C:\Program Files\Smith Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 21:49 --------- d-----w C:\Program Files\Java
2008-04-17 21:48 --------- d-----w C:\Program Files\Trillian
2008-04-17 21:11 8,731 ----a-w C:\Program Files\hijackthis.log
2008-04-17 20:47 --------- d-----w C:\Documents and Settings\Nathan Heimbruch\Application Data\WeatherBug
2008-04-15 23:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-15 23:31 --------- d-----w C:\Program Files\Electronic Arts
2008-04-15 23:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-15 23:28 --------- d-----w C:\Program Files\Azureus
2008-04-15 15:34 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-15 15:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-13 05:02 --------- d-----w C:\Documents and Settings\Nathan Heimbruch\Application Data\BitTorrent
2008-04-13 00:18 --------- d-----w C:\Program Files\TweakNow RegCleaner
2008-04-12 22:36 --------- d-----w C:\Program Files\Lavasoft
2008-04-12 22:36 --------- d-----w C:\Documents and Settings\Nathan Heimbruch\Application Data\Lavasoft
2008-03-29 18:45 1,146,232 ----a-w C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-03-29 18:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 18:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 18:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 18:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-29 18:23 95,608 ----a-w C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-03-27 03:58 --------- d-----w C:\Program Files\Winamp
2008-03-20 01:52 --------- d-----w C:\Program Files\EV Nova
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-17 17:33 --------- d-----w C:\Documents and Settings\Da Fam\Application Data\Talkback
2008-02-15 09:07 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2007-10-01 23:10 65 ----a-w C:\Documents and Settings\Nathan Heimbruch\Set.dll
2005-02-16 16:06 218,112 ----a-w C:\Program Files\HijackThis.exe
2005-05-05 22:25 382 --sha-w C:\WINDOWS\MSAGENT\CHARS\wger.bak1
2005-05-18 15:25 521,089 --sha-w C:\WINDOWS\MSAGENT\CHARS\wger.bak2
2005-05-19 05:19 522,303 --sha-w C:\WINDOWS\MSAGENT\CHARS\wger.ini2
2004-10-22 03:04 56 --sh--r C:\WINDOWS\SYSTEM32\A8E9B0E66F.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-17_16.09.44.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-17 21:03:42 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-17 21:46:47 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2003-11-19 21:36:26 24,681 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-03-25 06:28:39 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2003-11-19 21:36:30 28,779 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-03-25 06:28:43 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-03-25 07:37:01 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2008-04-17 21:47:16 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 13:48 68856]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-04-07 16:02 1343488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-03 22:10 344064]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-03 23:21 32768]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\SYSTEM32\P17.dll]
"Tarantula"="C:\Program Files\Razer\Tarantula\razerhid.exe" [2006-09-30 16:48 176128]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-11-03 23:21 32768]

C:\Documents and Settings\Nathan Heimbruch\Start Menu\Programs\Startup\
Shortcut to firefox.exe.lnk - C:\Program Files\Mozilla Firefox\firefox.exe [2007-09-27 13:27:45 7660656]
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2007-12-11 01:00:00 1873280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Metacafe.lnk - C:\Program Files\Metacafe\MetacafeAgent.exe [2007-09-04 10:04:34 149256]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe [2007-09-22 16:25:58 20525056]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--a------ 2004-09-22 23:16 69707 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
--a------ 2004-07-08 11:49 196608 C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
--a------ 2003-05-02 18:46 270336 C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-03-15 01:04 122933 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-11 11:43 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2004-06-29 11:23 135168 C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-05-10 16:04 11776 C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 19:38 64512 C:\WINDOWS\SYSTEM32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 20:15 290816 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-11-10 23:15 111816 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"KodakCCS"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mmjb.exe"=
"C:\\Program Files\\MSN\\MSNCoreFiles\\MSN6.EXE"=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"C:\\Program Files\\messenger\\msmsgs.exe"=
"C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.6.1.4544-to-1.7.0-enUS-downloader.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.6.0-enUS-downloader.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"6881:TCP"= 6881:TCP:Blizzard Downloader
"6882:TCP"= 6882:TCP:Blizzard Downloader
"6883:TCP"= 6883:TCP:Blizzard Downloader
"6884:TCP"= 6884:TCP:Blizzard Downloader
"6885:TCP"= 6885:TCP:Blizzard Downloader
"6886:TCP"= 6886:TCP:Blizzard Downloader

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
R1 NPPTNT;NPPTNT;C:\WINDOWS\System32\npptNT.sys [2003-07-22 01:14]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
R2 Stuffit Archive Name Service;Stuffit Archive Name Service;"C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe" [2008-01-31 08:37]
R3 TarFltr;Razer Tarantula USB Keyboard;C:\WINDOWS\system32\Drivers\UsbFltr.sys [2006-09-27 15:48]
S2 NTBOOT;NTBOOTMGR;C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe []
S3 Alpham;Ideazon Merc Composite Keyboard Driver;C:\WINDOWS\system32\DRIVERS\Alpham.sys [2005-12-04 14:55]
S3 Alpham1;Ideazon Merc USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham1.sys [2007-03-20 10:49]
S3 Alpham2;Ideazon Merc MM USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham2.sys [2007-03-20 10:49]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1f099bb-211a-11d9-a4c5-00038a000015}]
\Shell\AutoRun\command - G:\LaunchBF.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-22 15:17:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 16:54:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-17 16:57:04
ComboFix-quarantined-files.txt 2008-04-17 21:56:58
ComboFix2.txt 2008-04-17 21:10:11

Pre-Run: 23,502,909,440 bytes free
Post-Run: 23,475,961,856 bytes free
.
2008-04-12 03:03:39 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:19 PM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Razer\Tarantula\razerhid.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Razer\Tarantula\razertra.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Nathan Heimbruch\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Tarantula] C:\Program Files\Razer\Tarantula\razerhid.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
O4 - Startup: Shortcut to firefox.exe.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144101441703
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt\ArcNameService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 8178 bytes

Edited by Fledge182, 17 April 2008 - 05:12 PM.


#8 Fledge182

Fledge182
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 17 April 2008 - 05:38 PM

I just ran spybot and it found no virtumonde or any of its other iterations. It just found a tracking cookie called mediaplex. So it seems as though things may be fixed. Thank you so much for all your help. Hopefully i won't have to talk to you again any time soon. :thumbsup:

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:30 PM

Posted 17 April 2008 - 05:42 PM

Hello,

That's great to know. :thumbsup:
Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:30 PM

Posted 21 April 2008 - 02:58 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users