Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

C:\windows\system32|ctl3dv.dll Trojan Horse Generic 10.het


  • This topic is locked This topic is locked
28 replies to this topic

#1 wilmas

wilmas

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 15 April 2008 - 01:14 PM

AVG Virus Threat Detected While Opening file C:\WINDOWS\SYSTEM32|CTL3DV.dll Trojan Horse Generic 10.HET --- This keeps popping up on my CPU. I have Windows XP Home -- SP2 - AVG Virus Software.. I can got online and it pops up, I can explore any drive and it pops up. I have tried to heal file and it keeps coming back, Ive tried to delete file unable to do so, I have tried to move to vault. It tells me that the file has been healed sucessfully or that it has been move to vault sucessfully but it always pops back up the next time I go to do something. Every time that the virus program does a scan it shows that this file is infected and it Quaranteens it but it always comes back. I have pasted my HijackThis log file and my ComboFix log file below. Any help is greatly appreciated.

Thanks
Wilma




HIJACKTHIS LOG FILE

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:14 AM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Office Mouse\moffice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Office Mouse\MOUSE32A.DAT
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {95BDC0E4-630B-44AB-A7FA-48E528543F6C} - C:\WINDOWS\system32\CTL3DV.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office Mouse\moffice.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunServices: [p2pnetwork] p2pnetwork.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ExpressPLNRnote.lnk = C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205001658765
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9992 bytes

COMBOFIX LOG FILE

ComboFix 08-04-14.2 - Wilmas 2008-04-15 10:57:32.1 - NTFSx86
Running from: C:\Documents and Settings\Wilmas\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Wilmas\Application Data\urlredir.cfg
C:\Program Files\msconfigs
C:\Program Files\MyWay
C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\DcadsSocial-uninstall.exe
C:\WINDOWS\system32\iebrowserc.dll
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\rightonadz-uninst.exe
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com

.
((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-04 08:54 . 2008-04-04 08:54 <DIR> d-------- C:\Documents and Settings\Wilmas\Application Data\Lavasoft
2008-04-04 08:38 . 2008-04-04 08:38 <DIR> d-------- C:\Documents and Settings\Wilmas\Application Data\Grisoft
2008-04-04 08:26 . 2007-01-18 06:00 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
2008-04-04 08:25 . 2008-04-04 08:25 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-04 08:22 . 2008-04-04 09:18 <DIR> d-------- C:\Program Files\PConPoint
2008-04-04 08:18 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-04-04 08:17 . 2008-04-15 10:54 <DIR> d-------- C:\Documents and Settings\Wilmas\Application Data\AVG7
2008-04-04 08:16 . 2008-04-04 08:16 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-04 08:16 . 2008-04-15 07:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-04 08:02 . 2008-04-04 08:02 <DIR> d-------- C:\Program Files\AVG
2008-04-04 08:02 . 2008-04-04 08:02 <DIR> d-------- C:\Documents and Settings\Wilmas\Application Data\AVGTOOLBAR
2008-04-04 08:02 . 2008-04-04 08:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 04:19 --------- d-----w C:\Program Files\Jewel Quest 2
2008-04-10 21:13 --------- d-----w C:\Program Files\Jewel Quest
2008-04-10 04:47 --------- d-----w C:\Program Files\LimeWire
2008-04-04 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-19 13:32 --------- d-----w C:\Program Files\Apple Software Update
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-12 18:47 --------- d-----w C:\Program Files\Java
2008-03-08 18:44 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-08 18:42 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-07 23:09 --------- d-----w C:\Program Files\PC MightyMax 2007
2008-03-07 18:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-04 16:15 98,048 ----a-w C:\WINDOWS\SYSTEM32\CTL3DV.dll
2008-03-02 00:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-29 18:52 --------- d-----w C:\Program Files\exPressit S.E. 2.1
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-02-25 09:01 --------- d-----w C:\Program Files\PopCap Games
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-02-06 09:20 796,672 ----a-w C:\WINDOWS\GPInstall.exe
2008-01-28 04:37 46,300 ----a-w C:\WINDOWS\SYSTEM32\AdssiteSocial-uninstall.exe
2003-08-27 20:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2002-07-26 22:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2002-05-10 21:49 10,283,872 ----a-w C:\Program Files\WinDVD40 Plus.exe
2002-05-10 01:13 109 ----a-w C:\Program Files\WinDVD 4.0 Plus Serial.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95BDC0E4-630B-44AB-A7FA-48E528543F6C}]
2008-03-04 10:15 98048 --a------ C:\WINDOWS\system32\CTL3DV.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-08 14:00 28739]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 19:23 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16 454784]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"p2pnetwork"="p2pnetwork.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXBRKsk"="C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 08:57 294912]
"Lexmark 3100 Series"="C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-03 20:33 106496]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 10:27 28672]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 15:26 406016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 07:32 5537792]
"nwiz"="nwiz.exe" [2005-02-24 07:32 1495040 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-02-24 07:32 86016]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"FLMOFFICE4DMOUSE"="C:\Program Files\Office Mouse\moffice.exe" [2006-03-30 10:12 806912]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-23 15:52 331830]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-08 14:00 28739]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 06:39 579584]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 01:01 437160]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 19:23 68856]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-04 08:16 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
ExpressPLNRnote.lnk - C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe [2006-01-16 15:28:06 28200]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-06-21 22:56:14 282624]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-08-08 14:00:00 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 21:34 24576 C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Wilmas^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Wilmas^Start Menu^Programs^Startup^PowerReg Scheduler.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^Wilmas^Start Menu^Programs^Startup^Sonic INSTALLit! Setup.lnk]
backup=C:\WINDOWS\pss\Sonic INSTALLit! Setup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 07:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2002-07-24 20:20 28672 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsConfigs]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p2pnetwork]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 19:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2005-03-08 21:13 1695744 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a------ 2001-10-05 18:34 24576 C:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SCardDrv"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=
"C:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:*:Disabled:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:*:Disabled:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 rrcvuekm;rrcvuekm;C:\WINDOWS\system32\drivers\dajebtxt.dat []
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 02:00]
S2 DVC150;DVC 150B;C:\WINDOWS\system32\Drivers\dvc150b.sys [2003-11-14 11:50]
S3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gmfiltr.sys [2001-08-16 09:52]
S3 moufiltr;Chic Tech Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\moufiltr.sys [2006-03-30 10:12]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 12:48:01 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-04-14 20:00:00 C:\WINDOWS\Tasks\LiveUpdate - Norton AntiVirus.job"
- C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
"2008-04-15 12:58:17 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 11:02:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\rrcvuekm]
"ImagePath"="system32\drivers\dajebtxt.dat"
.
Completion time: 2008-04-15 11:04:13
ComboFix-quarantined-files.txt 2008-04-15 17:03:49

Pre-Run: 67,083,079,680 bytes free
Post-Run: 77,628,682,240 bytes free
.
2008-04-12 08:25:16 --- E O F ---

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 21 April 2008 - 03:48 PM

Hi

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\SYSTEM32\CTL3DV.dll
C:\WINDOWS\system32\drivers\dajebtxt.dat

Driver::
rrcvuekm

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95BDC0E4-630B-44AB-A7FA-48E528543F6C}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"p2pnetwork"=-


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

let me know if this resolves your problem ?

steam

Edited by steamwiz, 21 April 2008 - 03:50 PM.
to add extra instruction

MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 wilmas

wilmas
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 29 April 2008 - 10:48 AM

Hi Steamwiz

I did everything you said to do word for word and so far that file hasnt been seen anywere. Before the fix I couldnt do anything without it coming up on the screen, but not since I did this. Thanks alot for your help. That popup was starting to drive me crazy. Thanks again. I will post below the new log file for combofix and hijackthis log files..

THANKS AGAIN :thumbsup:

Wilma


Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:55 AM, on 4/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Office Mouse\moffice.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Office Mouse\MOUSE32A.DAT
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office Mouse\moffice.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ExpressPLNRnote.lnk = C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205001658765
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9826 bytes




Combofix Log

ComboFix 08-04-28.2 - Wilmas 2008-04-29 10:16:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.397 [GMT -5:00]
Running from: C:\Documents and Settings\Wilmas\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wilmas\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SYSTEM32\CTL3DV.dll
C:\WINDOWS\system32\drivers\dajebtxt.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\CTL3DV.dll
C:\WINDOWS\system32\drivers\dajebtxt.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RRCVUEKM
-------\Service_rrcvuekm


((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

2008-04-15 12:50 . 2008-04-15 12:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-04 09:54 . 2008-04-04 09:54 <DIR> d-------- C:\Documents and Settings\Wilmas\Application Data\Lavasoft
2008-04-04 09:42 . 2008-04-28 08:13 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-04 09:38 . 2008-04-04 09:38 <DIR> d-------- C:\Documents and Settings\Wilmas\Application Data\Grisoft
2008-04-04 09:26 . 2007-01-18 07:00 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
2008-04-04 09:25 . 2008-04-04 09:25 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-04 09:22 . 2008-04-04 10:18 <DIR> d-------- C:\Program Files\PConPoint
2008-04-04 09:18 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-04-04 09:17 . 2008-04-15 11:54 <DIR> d-------- C:\Documents and Settings\Wilmas\Application Data\AVG7
2008-04-04 09:16 . 2008-04-04 09:16 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-04 09:16 . 2008-04-28 07:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-04 09:02 . 2008-04-04 09:02 <DIR> d-------- C:\Program Files\AVG
2008-04-04 09:02 . 2008-04-04 09:02 <DIR> d-------- C:\Documents and Settings\Wilmas\Application Data\AVGTOOLBAR
2008-04-04 09:02 . 2008-04-04 09:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 03:14 --------- d-----w C:\Program Files\Jewel Quest 2
2008-04-24 09:31 --------- d-----w C:\Program Files\Office Mouse
2008-04-24 09:31 --------- d-----w C:\Program Files\Microsoft Works
2008-04-24 09:31 --------- d-----w C:\Program Files\LimeWire
2008-04-24 09:31 --------- d-----w C:\Program Files\Lexmark 3100 Series
2008-04-24 09:31 --------- d-----w C:\Program Files\Jigs@w Platinum
2008-04-24 09:31 --------- d-----w C:\Program Files\Jewel Quest
2008-04-24 09:31 --------- d-----w C:\Program Files\Family Tree Maker 2005
2008-04-24 09:31 --------- d-----w C:\Program Files\exPressit S.E. 2.1
2008-04-24 09:31 --------- d-----w C:\Program Files\Bursting Bubbles Deluxe
2008-04-04 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-19 13:32 --------- d-----w C:\Program Files\Apple Software Update
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-12 18:47 --------- d-----w C:\Program Files\Java
2008-03-08 18:44 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-08 18:42 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-07 23:09 --------- d-----w C:\Program Files\PC MightyMax 2007
2008-03-07 18:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-02 00:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-02-06 09:20 796,672 ----a-w C:\WINDOWS\GPInstall.exe
2003-08-27 20:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2002-07-26 22:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2002-05-10 21:49 10,283,872 ----a-w C:\Program Files\WinDVD40 Plus.exe
2002-05-10 01:13 109 ----a-w C:\Program Files\WinDVD 4.0 Plus Serial.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-08 15:00 28739]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 20:23 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 19:16 454784]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXBRKsk"="C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 09:57 294912]
"Lexmark 3100 Series"="C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-03 21:33 106496]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 11:27 28672]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26 406016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 08:32 5537792]
"nwiz"="nwiz.exe" [2005-02-24 08:32 1495040 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-02-24 08:32 86016]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 15:20 94208]
"FLMOFFICE4DMOUSE"="C:\Program Files\Office Mouse\moffice.exe" [2006-03-30 11:12 806912]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-23 16:52 331830]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-08 15:00 28739]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 07:24 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 07:39 579584]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 02:01 437160]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 20:23 68856]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-04 09:16 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
ExpressPLNRnote.lnk - C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe [2006-01-16 16:28:06 28200]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-06-21 23:56:14 282624]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-08-08 15:00:00 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 22:34 24576 C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.I420"= vdrcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Wilmas^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Wilmas^Start Menu^Programs^Startup^PowerReg Scheduler.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^Wilmas^Start Menu^Programs^Startup^Sonic INSTALLit! Setup.lnk]
backup=C:\WINDOWS\pss\Sonic INSTALLit! Setup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 08:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2002-07-24 21:20 28672 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsConfigs]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p2pnetwork]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 20:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 07:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2005-03-08 22:13 1695744 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a------ 2001-10-05 19:34 24576 C:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SCardDrv"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=
"C:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:*:Disabled:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:*:Disabled:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 03:00]
S2 DVC150;DVC 150B;C:\WINDOWS\system32\Drivers\dvc150b.sys [2003-11-14 12:50]
S3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gmfiltr.sys [2001-08-16 10:52]
S3 moufiltr;Chic Tech Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\moufiltr.sys [2006-03-30 11:12]

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 12:48:01 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-04-28 19:00:00 C:\WINDOWS\Tasks\LiveUpdate - Norton AntiVirus.job"
- C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
"2008-04-29 15:26:14 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 10:23:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Office Mouse\mouse32a.dat
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
.
**************************************************************************
.
Completion time: 2008-04-29 10:32:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-29 15:32:13
ComboFix2.txt 2008-04-15 17:04:13

Pre-Run: 88,913,883,136 bytes free
Post-Run: 88,962,400,256 bytes free

208 --- E O F --- 2008-04-25 14:00:29

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 29 April 2008 - 02:43 PM

Hi Wilma

Your logs are clean now :thumbsup:

Happy surfing

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 20 May 2008 - 04:26 PM

As this thread is resolved, it is now locked.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 07 July 2008 - 06:22 PM

RE-opened at request of poster ...

PM...

I would like to reopen this thread if possible, I now have another issue with my cpu. Im wanting to add my new Hijackthis log file and a new combofix log file to this post, so that someone can compare the too.. Can I do this or do I need to open a new thread? Thanks again for your help last time and hoping you can assist with this new problem.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 wilmas

wilmas
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 09 July 2008 - 03:28 PM

Hello Steam or anyone else that is willing to help!!!

Ill give a description of the problem before I post the new Hijackthis and Combofix log files.

My computer had started running slower than normal, mainly while on the Internet. Then I started getting popups, like when I click to get on the internet, my homepage would come up and some other popups would come up aswell, mainly antispyware and registry cleaner popups. Then I started getting small AVG Antivirus popups that was advising me that I had infected file on my computer. This is word for word as to what pops up. Multiple Threat Detection Infections list #1) (File Name) - C:\ctfmon.exe (Threat Name) - Virus found win32/heur, detected on open. #2) File was same info as the #1. hidden details were as follows - 1 Process name: c:\windows\system32\svchost.exe -- Process ID: 3396 , 2 Process name: c:\program files\windows defender\msmpeng.exe -- Process ID: 1300 This is another popup that I get alot --- Accessed file is infected Threat Detected (File Name): c;\system volume information\-restore(B37680B2-BAQA-4ESD-BF30-83E44C588624)\RP205\A0026607.dll - (Threat Name) - Trojan horse Generic I0.BADM, detected on open. Hidden details were - process name: c:\program files\windowsdefender\msmpeng.exe -- process ID: 1320.
Then today when I was trying to do the Combofix scan this poped up - 1 (File name) c:\csrss.exe (threat name) Trojan horse downloader.generic7.UBV, 2 (File name) c:\windows\system32\olixds18\olixds182328.exe (Threat name) Trojan horse downloader.generic7.XMT
When these popup I try to heal with my AVG but I dont think it is working.
Also today arter I did the Combofix Scan I had this to popup before it ever give a log report and after it restarted my PC RUNDLL -- Error loading C:windows\system32\yqoywenm.dll and when I pushed OK this one poped up RUNDLL -- Error loading C:windows\system32\anbiicod.dll and on both the popups it said (The Specified Module Could Not Be Found). I had never seen these until I did the Combofix scan and then the PC shut down and restarted by itself, that when I got the RUNDLL errors..

Any help is greatly appreciated. I will now Paste my Hijackthis log file and the Combofix log file ( both were created today) Hope my description of the problem is detailed enough. If any questions feel free to PM me.

Thanks
Wilma


Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:44 PM, on 7/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Office Mouse\moffice.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Office Mouse\MOUSE32A.DAT
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Documents and Settings\Wilmas\winlogon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {b69a9db4-d0a1-4722-b56b-f20757a29cdf} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: (no name) - {b69a9db4-d0a1-4722-b56b-f20757a29cdf} - (no file)
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office Mouse\moffice.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Wilmas\winlogon.exe
O4 - HKLM\..\Run: [BM0f00b131] Rundll32.exe "C:\WINDOWS\system32\yqoywenm.dll",s
O4 - HKLM\..\Run: [0c3382ad] rundll32.exe "C:\WINDOWS\system32\anbiicod.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Picaboo.lnk = C:\Program Files\Picaboo\Picaboo\PicabooMain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ExpressPLNRnote.lnk = C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205001658765
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 10966 bytes


Combofix


ComboFix 08-07-08.9 - Wilmas 2008-07-09 13:24:14.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.282 [GMT -5:00]
Running from: C:\Documents and Settings\Wilmas\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Dynamic Toolbar
C:\WINDOWS\BM0f00b131.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\anbiicod.dll
C:\WINDOWS\system32\athqqujc.dll
C:\WINDOWS\SYSTEM32\BaadKkkj.ini
C:\WINDOWS\SYSTEM32\BaadKkkj.ini2
C:\WINDOWS\system32\bebxphom.dll
C:\WINDOWS\system32\bifbgkbq.dll
C:\WINDOWS\system32\cnbwse.dll
C:\WINDOWS\SYSTEM32\dociibna.ini
C:\WINDOWS\system32\domwwcyb.dll
C:\WINDOWS\system32\efwpmy.dll
C:\WINDOWS\system32\eskdgwkb.ini
C:\WINDOWS\system32\frrknu.dll
C:\WINDOWS\system32\gduyhnfm.ini
C:\WINDOWS\system32\ivrnftlk.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mohpxbeb.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\oeminfo.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\PqBLlUtv.ini
C:\WINDOWS\SYSTEM32\PqBLlUtv.ini2
C:\WINDOWS\system32\rqpqov.dll
C:\WINDOWS\system32\scgoonqf.dll
C:\WINDOWS\system32\tuvUMgfE.dll
C:\WINDOWS\system32\vtUlLBqP.dll
C:\WINDOWS\system32\wdaltdxb.dll
C:\WINDOWS\system32\xmppdvfl.ini
C:\WINDOWS\system32\yqoywenm.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))
.

2008-07-09 13:41 . 2008-07-09 13:41 33,792 --a------ C:\Documents and Settings\Wilmas\services.exe
2008-07-08 08:37 . 2008-07-09 13:20 110,428 --a------ C:\WINDOWS\BM0f00b131.xml
2008-07-06 08:29 . 2008-07-08 16:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\olixds18
2008-07-06 08:29 . 2008-07-06 08:29 <DIR> d-------- C:\Temp\stmpv4
2008-07-03 16:17 . 2008-07-04 20:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\modtrux18
2008-07-03 16:17 . 2008-07-03 16:17 <DIR> d-------- C:\Temp\syschk3
2008-07-03 16:17 . 2008-06-27 18:38 53,248 ---hs---- C:\Documents and Settings\Wilmas\winlogon.exe
2008-07-03 16:15 . 2008-07-03 16:16 <DIR> d-------- C:\Program Files\Live_TV
2008-07-03 16:15 . 2008-07-03 16:15 <DIR> d-------- C:\Program Files\Conduit
2008-06-30 10:33 . 2008-06-30 13:53 <DIR> d-------- C:\Documents and Settings\Wilmas\Application Data\Wildfire
2008-06-30 10:33 . 2008-06-30 10:33 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-06-30 10:32 . 2008-06-30 10:33 <DIR> d-------- C:\Program Files\Tumblebugs
2008-06-30 10:31 . 2008-06-30 10:41 <DIR> d-------- C:\Program Files\Fish Tycoon
2008-06-30 10:31 . 2005-12-28 18:03 40,960 --a------ C:\WINDOWS\SYSTEM32\Fish Tycoon.scr
2008-06-28 08:55 . 2008-06-28 08:56 <DIR> d-------- C:\Program Files\InterActual
2008-06-28 08:51 . 2008-06-28 08:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\DLA
2008-06-28 08:51 . 2006-08-08 09:18 92,920 --a------ C:\WINDOWS\DLA.EXE
2008-06-28 08:51 . 2006-08-08 09:18 56,056 --a------ C:\WINDOWS\SYSTEM32\DLAAPI_W.DLL
2008-06-28 08:51 . 2006-08-01 19:46 51,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\DRVNDDM.SYS
2008-06-28 08:51 . 2006-08-01 20:06 28,216 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\DLARTL_M.SYS
2008-06-28 08:51 . 2006-08-01 20:06 12,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\DLACDBHM.SYS
2008-06-28 08:47 . 2008-06-28 08:47 <DIR> d-------- C:\Program Files\SightSpeed
2008-06-28 08:43 . 2008-06-28 08:44 <DIR> d-------- C:\Program Files\Common Files\SightSpeed
2008-06-25 08:00 . 2008-06-25 08:00 <DIR> d-------- C:\Documents and Settings\Wilmas\Application Data\Picaboo
2008-06-19 12:17 . 2008-07-09 08:03 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-19 11:38 . 2008-07-09 08:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-06-19 11:38 . 2008-07-02 15:15 96,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-06-19 11:38 . 2008-07-02 15:15 76,040 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys
2008-06-19 11:38 . 2008-07-02 15:15 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-06-10 18:33 . 2008-06-13 06:05 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-10 18:33 . 2008-05-08 09:02 203,136 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 18:42 77 ----a-w C:\Documents and Settings\Wilmas\9664.bat
2008-07-09 05:42 --------- d-----w C:\Program Files\Jewel Quest 2
2008-07-07 23:54 --------- d-----w C:\Documents and Settings\Wilmas\Application Data\AVGTOOLBAR
2008-07-03 00:21 --------- d-----w C:\Documents and Settings\Wilmas\Application Data\Roxio
2008-06-30 16:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-30 16:03 --------- d-----w C:\Program Files\Roxio
2008-06-28 13:57 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2008-06-28 13:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2008-06-28 13:50 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-06-28 13:50 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-06-28 13:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-06-28 13:45 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-06-28 13:26 --------- d-----w C:\Program Files\Dell
2008-06-27 14:58 --------- d-----w C:\Program Files\Picasa2
2008-06-21 15:48 --------- d-----w C:\Program Files\exPressit S.E. 2.1
2008-06-19 16:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-19 16:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-06 16:00 --------- d-----w C:\Documents and Settings\Wilmas\Application Data\AdobeUM
2008-05-30 20:07 --------- d-----w C:\Program Files\Jewel Quest
2008-05-29 12:55 --------- d-----w C:\Program Files\LimeWire
2008-05-20 12:32 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-04-24 03:16 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-04-14 10:42 985,088 ----a-w C:\WINDOWS\SYSTEM32\setupapi.dll
2008-04-14 10:42 11,264 ----a-w C:\WINDOWS\SYSTEM32\spnpinst.exe
2008-04-14 10:41 423,936 ----a-w C:\WINDOWS\SYSTEM32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\SYSTEM32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\SYSTEM32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\SYSTEM32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\SYSTEM32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\SYSTEM32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\SYSTEM32\msgina.dll
2008-04-14 00:10 67,584 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pmigrate.dll
2008-04-14 00:10 53,760 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pintlcsd.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\SYSTEM32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\SYSTEM32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\SYSTEM32\msafd.dll
2008-04-14 00:10 175,104 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pintlcsa.dll
2008-04-14 00:10 15,872 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\padrs404.dll
2008-04-14 00:10 15,360 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\padrs804.dll
2008-04-14 00:10 10,240 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tmigrate.dll
2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\SYSTEM32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\SYSTEM32\watchdog.sys
2008-04-13 18:35 24,064 ----a-w C:\WINDOWS\SYSTEM32\pidgen.dll
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\SYSTEM32\kd1394.dll
2008-04-13 18:31 2,023,936 ----a-w C:\WINDOWS\SYSTEM32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\SYSTEM32\msvcrt40.dll
2008-04-13 18:14 76,800 ----a-w C:\WINDOWS\SYSTEM32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\SYSTEM32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\SYSTEM32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\SYSTEM32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\SYSTEM32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\SYSTEM32\dssenh.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\SYSTEM32\msxml6r.dll
2008-04-13 17:27 79,872 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\SYSTEM32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\SYSTEM32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\SYSTEM32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\SYSTEM32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\SYSTEM32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\SYSTEM32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\SYSTEM32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\SYSTEM32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\SYSTEM32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\SYSTEM32\moricons.dll
2008-04-13 16:43 70,144 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pintlphr.exe
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\SYSTEM32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\SYSTEM32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\SYSTEM32\msimsg.dll
2003-08-27 20:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2002-07-26 22:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2002-05-10 21:49 10,283,872 ----a-w C:\Program Files\WinDVD40 Plus.exe
2002-05-10 01:13 109 ----a-w C:\Program Files\WinDVD 4.0 Plus Serial.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FAADA70-E123-46E4-B5CB-3BAB7D18D1E8}]
2008-07-09 13:47 282624 --a------ C:\WINDOWS\system32\khfGvsqo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-08 15:00 28739]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 20:23 68856]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 19:16 454784]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Logon Applicationedc"="C:\Documents and Settings\Wilmas\winlogon.exe" [2008-06-27 18:38 53248]
"LXBRKsk"="C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 09:57 294912]
"Lexmark 3100 Series"="C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-03 21:33 106496]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 11:27 28672]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26 406016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 08:32 5537792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-02-24 08:32 86016]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 15:20 94208]
"FLMOFFICE4DMOUSE"="C:\Program Files\Office Mouse\moffice.exe" [2006-03-30 11:12 806912]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-23 16:52 331830]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-08 15:00 28739]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 07:24 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-02 15:15 1232152]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 12:10 221184]
"DMXLauncher"="C:\Program Files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 01:07 102400]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-07-31 09:00 1116920]
"BM0f00b131"="C:\WINDOWS\system32\hlvkwywh.dll" [2008-07-09 13:50 92160]
"nwiz"="nwiz.exe" [2005-02-24 08:32 1495040 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 02:01 437160]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 20:23 68856]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 20:23 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
ExpressPLNRnote.lnk - C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe [2006-01-16 16:28:06 28200]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-06-21 23:56:14 282624]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-08-08 15:00:00 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E91C2855-AC7E-4ED9-B488-0F78FAE8AD2D}"= "C:\WINDOWS\system32\wvUkKBSl.dll" [2008-07-09 13:42 31232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUkKBSl]
2008-07-09 13:42 31232 C:\WINDOWS\SYSTEM32\wvUkKBSl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.I420"= vdrcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\khfGvsqo

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Wilmas^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Wilmas^Start Menu^Programs^Startup^PowerReg Scheduler.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^Wilmas^Start Menu^Programs^Startup^Sonic INSTALLit! Setup.lnk]
backup=C:\WINDOWS\pss\Sonic INSTALLit! Setup.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsConfigs
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 08:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2002-07-24 21:20 28672 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 07:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2005-03-08 22:13 1695744 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a------ 2001-10-05 19:34 24576 C:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SCardDrv"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=
"C:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:*:Disabled:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:*:Disabled:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-02 15:15]
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 03:00]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-01 20:06]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-02 15:15]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-02 15:15]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-02 15:15]
S2 DVC150;DVC 150B;C:\WINDOWS\system32\Drivers\dvc150b.sys [2003-11-14 12:50]
S3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gmfiltr.sys [2001-08-16 10:52]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-04 11:48:09 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exe
"2008-07-07 19:00:00 C:\WINDOWS\Tasks\LiveUpdate - Norton AntiVirus.job"
- C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
"2008-07-09 18:40:33 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{06A1F910-762A-4660-B534-55B82571851C} - C:\WINDOWS\system32\nnnoOfeC.dll
BHO-{85891CF5-118E-44AF-8682-A7B08D33A9E7} - C:\WINDOWS\system32\awtusrRh.dll
BHO-{C2FD8235-A020-4726-9FD1-4A174F70718F} - C:\WINDOWS\system32\jkkKdaaB.dll
HKLM-Run-0c3382ad - C:\WINDOWS\system32\anbiicod.dll
ShellExecuteHooks-{06A1F910-762A-4660-B534-55B82571851C} - C:\WINDOWS\system32\nnnoOfeC.dll
ShellExecuteHooks-{85891CF5-118E-44AF-8682-A7B08D33A9E7} - C:\WINDOWS\system32\awtusrRh.dll
Notify-awtusrRh - awtusrRh.dll
Notify-nnnoOfeC - nnnoOfeC.dll
MSConfigStartUp-PCMService - C:\Program Files\Dell\Media Experience\PCMService.exe
MSConfigStartUp-p2pnetwork - p2pnetwork.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 13:37:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\MSINET.oca 29184 bytes executable
C:\WINDOWS\system32\wvUkKBSl.dll 31232 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\wvUkKBSl.dll
-> C:\Documents and Settings\Wilmas\winlogon.exe
-> C:\WINDOWS\system32\khfGvsqo.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\hlvkwywh.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\Program Files\Office Mouse\mouse32a.dat
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-07-09 13:53:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-09 18:52:50
ComboFix2.txt 2008-04-29 15:32:17
ComboFix3.txt 2008-04-15 17:04:13

Pre-Run: 88,030,605,312 bytes free
Post-Run: 89,255,612,416 bytes free

330 --- E O F --- 2008-07-04 22:59:23

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 09 July 2008 - 05:18 PM

HI

My ... what a mess you have there ...

Any threat found here :- c;\system volume information\-restore

is not a problem unless you perform a system restore, we'll purge that as one of the last things we do.

RUNDLL -- Error loading C:windows\system32\yqoywenm.dll and when I pushed OK this one poped up RUNDLL -- Error loading C:windows\system32\anbiicod.dll and on both the popups it said (The Specified Module Could Not Be Found). I had never seen these until I did the Combofix scan and then the PC shut down and restarted by itself, that when I got the RUNDLL errors..


Combofix removed the malware files but windows was still looking for them when it rebooted, looking at the logs that seems to have been attended to & you shouldn't get the error messages anymore ... tell me if you do and the file name referenced ?

There's a lot of work to do, I want you to start by running these scans & posting the logs :-

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 wilmas

wilmas
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 13 July 2008 - 08:17 AM

Good Morning Steam,

I did everything that you advised, sorry it took so long to reply. Here is the log files from both scans that you requested. Just let me know what I need to do from here.
Thanks for your help..
Wilma






Malwarebytes' Anti-Malware 1.20
Database version: 942
Windows 5.1.2600 Service Pack 3

2:29:08 PM 7/12/2008
mbam-log-7-12-2008 (14-29-08).txt

Scan type: Quick Scan
Objects scanned: 41236
Time elapsed: 7 minute(s), 38 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 17
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 9
Files Infected: 29

Memory Processes Infected:
C:\Documents and Settings\Wilmas\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\wvUkKBSl.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Live_TV (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Live_TV (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live_TV Toolbar (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\AdvRemoteDbg (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\HID_Layer (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e91c2855-ac7e-4ed9-b488-0f78fae8ad2d} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e91c2855-ac7e-4ed9-b488-0f78fae8ad2d} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvukkbsl (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0c3382ad (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{b69a9db4-d0a1-4722-b56b-f20757a29cdf} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{b69a9db4-d0a1-4722-b56b-f20757a29cdf} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b69a9db4-d0a1-4722-b56b-f20757a29cdf} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft works portfolio (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows logon applicationedc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e91c2855-ac7e-4ed9-b488-0f78fae8ad2d} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Live_TV (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\modtrux18 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV (Adware.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\qiiohasu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\usahoiiq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Conduit\Community Alerts\Alert.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Live_TV\INSTALL.LOG (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Live_TV\tbLiv1.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Live_TV\tbLive.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Live_TV\toolbar.cfg (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Live_TV\UNWISE.EXE (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\MYSEARCHPLUGINPROXY.CLASS (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\PARTNER.DAT (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\1.bin\S42NS.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\0031C005 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\0031C209 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\0031C303.bmp (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\0031C46A.bmp (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Settings\prevcfg.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\LocalSettings.txt (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\ThirdPartyComponents.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\update.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\winlogon.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tuvWpNfC.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mlJDtuuU.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wvUkKBSl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\BM0f00b131.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM0f00b131.txt (Trojan.Vundo) -> Quarantined and deleted successfully.





--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, July 13, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, July 12, 2008 19:40:49
Records in database: 945956
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 159482
Threat name: 4
Infected objects: 39
Suspicious objects: 0
Duration of the scan: 05:58:14


File name / Threat name / Threats count
C:\Documents and Settings\Wilmas\.housecall6.6\Quarantine\A0003712.DLL.bac_a00928 Infected: not-a-virus:AdTool.Win32.MyWebSearch.da 1
C:\Documents and Settings\Wilmas\.housecall6.6\Quarantine\jar_cache44522.tmp.bac_a00928 Infected: Trojan.Java.ClassLoader.ap 3
C:\Documents and Settings\Wilmas\.housecall6.6\Quarantine\S4BAR.DLL.bac_a00928 Infected: not-a-virus:AdTool.Win32.MyWebSearch.da 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\anbiicod.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\athqqujc.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bebxphom.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bifbgkbq.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cnbwse.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\domwwcyb.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\efwpmy.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\frrknu.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rqpqov.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\scgoonqf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aaex 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tuvUMgfE.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vtUlLBqP.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wdaltdxb.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yqoywenm.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP205\A0025607.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP205\A0026608.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP207\A0026675.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP207\A0026676.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP207\A0026677.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP207\A0026678.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP207\A0026679.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP207\A0026680.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP207\A0026681.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP207\A0026682.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP207\A0026683.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP207\A0026685.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP207\A0026687.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP207\A0026688.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP209\A0027776.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP211\A0028776.dll Infected: Trojan.Win32.Monder.gen 1
C:\WINDOWS\SYSTEM32\achshshl.dll Infected: Trojan.Win32.Monder.gen 1
C:\WINDOWS\SYSTEM32\fbvcqofq.dll Infected: Trojan.Win32.Monder.gen 1
C:\WINDOWS\SYSTEM32\hlvkwywh.dll Infected: Trojan.Win32.Monder.gen 1
C:\WINDOWS\SYSTEM32\otnoib.dll Infected: Trojan.Win32.Monder.gen 1

The selected area was scanned.

#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 13 July 2008 - 04:16 PM

Hi

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\SYSTEM32\achshshl.dll
C:\WINDOWS\SYSTEM32\fbvcqofq.dll
C:\WINDOWS\SYSTEM32\hlvkwywh.dll
C:\WINDOWS\SYSTEM32\otnoib.dll

Folder::
C:\WINDOWS\SYSTEM32\olixds18
C:\Temp


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#11 wilmas

wilmas
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 14 July 2008 - 07:15 AM

Hello Steam,

I done everything you stated in the last e-mail. Here is both log files you requested. Is it looking better than it did when we started?
Thanks



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:56 AM, on 7/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Office Mouse\moffice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Office Mouse\MOUSE32A.DAT
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office Mouse\moffice.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ExpressPLNRnote.lnk = C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205001658765
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 10662 bytes











ComboFix 08-07-08.9 - Wilmas 2008-07-13 20:58:19.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.407 [GMT -5:00]Running from: C:\Documents and Settings\Wilmas\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wilmas\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SYSTEM32\achshshl.dll
C:\WINDOWS\SYSTEM32\fbvcqofq.dll
C:\WINDOWS\SYSTEM32\hlvkwywh.dll
C:\WINDOWS\SYSTEM32\otnoib.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\achshshl.dll
C:\WINDOWS\SYSTEM32\fbvcqofq.dll
C:\WINDOWS\SYSTEM32\hlvkwywh.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\SYSTEM32\olixds18
C:\WINDOWS\SYSTEM32\oqsvGfhk.ini
C:\WINDOWS\SYSTEM32\oqsvGfhk.ini2
C:\WINDOWS\SYSTEM32\otnoib.dll
C:\WINDOWS\system32\tljmskxd.ini
C:\WINDOWS\system32\UwDfOXyb.ini
C:\WINDOWS\SYSTEM32\UwDfOXyb.ini2
C:\WINDOWS\system32\ymaubacq.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))
.

2008-07-12 14:14 . 2008-07-12 14:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-12 14:14 . 2008-07-12 14:14 <DIR> d-------- C:\Documents and Settings\Wilmas\Application Data\Malwarebytes
2008-07-12 14:14 . 2008-07-12 14:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-12 14:14 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-07-12 14:14 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-07-11 19:19 . 2008-07-11 19:19 <DIR> d-------- C:\Program Files\Sun
2008-07-03 16:15 . 2008-07-03 16:15 <DIR> d-------- C:\Program Files\Conduit
2008-06-30 10:33 . 2008-06-30 13:53 <DIR> d-------- C:\Documents and Settings\Wilmas\Application Data\Wildfire
2008-06-30 10:33 . 2008-06-30 10:33 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-06-30 10:32 . 2008-06-30 10:33 <DIR> d-------- C:\Program Files\Tumblebugs
2008-06-30 10:31 . 2008-06-30 10:41 <DIR> d-------- C:\Program Files\Fish Tycoon
2008-06-30 10:31 . 2005-12-28 18:03 40,960 --a------ C:\WINDOWS\SYSTEM32\Fish Tycoon.scr
2008-06-28 08:55 . 2008-06-28 08:56 <DIR> d-------- C:\Program Files\InterActual
2008-06-28 08:51 . 2008-06-28 08:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\DLA
2008-06-28 08:51 . 2006-08-08 09:18 92,920 --a------ C:\WINDOWS\DLA.EXE
2008-06-28 08:51 . 2006-08-08 09:18 56,056 --a------ C:\WINDOWS\SYSTEM32\DLAAPI_W.DLL
2008-06-28 08:51 . 2006-08-01 19:46 51,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\DRVNDDM.SYS
2008-06-28 08:51 . 2006-08-01 20:06 28,216 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\DLARTL_M.SYS
2008-06-28 08:51 . 2006-08-01 20:06 12,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\DLACDBHM.SYS
2008-06-28 08:47 . 2008-06-28 08:47 <DIR> d-------- C:\Program Files\SightSpeed
2008-06-28 08:43 . 2008-06-28 08:44 <DIR> d-------- C:\Program Files\Common Files\SightSpeed
2008-06-25 08:00 . 2008-06-25 08:00 <DIR> d-------- C:\Documents and Settings\Wilmas\Application Data\Picaboo
2008-06-19 12:17 . 2008-07-13 10:12 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-19 11:38 . 2008-07-13 18:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-06-19 11:38 . 2008-07-02 15:15 96,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-06-19 11:38 . 2008-07-02 15:15 76,040 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys
2008-06-19 11:38 . 2008-07-02 15:15 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 00:19 --------- d-----w C:\Program Files\Java
2008-07-12 00:10 --------- d-----w C:\Program Files\exPressit S.E. 2.1
2008-07-11 03:31 --------- d-----w C:\Program Files\Jewel Quest 2
2008-07-07 23:54 --------- d-----w C:\Documents and Settings\Wilmas\Application Data\AVGTOOLBAR
2008-07-03 00:21 --------- d-----w C:\Documents and Settings\Wilmas\Application Data\Roxio
2008-06-30 16:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-30 16:03 --------- d-----w C:\Program Files\Roxio
2008-06-28 13:57 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2008-06-28 13:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2008-06-28 13:50 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-06-28 13:50 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-06-28 13:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-06-28 13:45 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-06-28 13:26 --------- d-----w C:\Program Files\Dell
2008-06-27 14:58 --------- d-----w C:\Program Files\Picasa2
2008-06-19 16:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-19 16:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-06 16:00 --------- d-----w C:\Documents and Settings\Wilmas\Application Data\AdobeUM
2008-05-30 20:07 --------- d-----w C:\Program Files\Jewel Quest
2008-05-29 12:55 --------- d-----w C:\Program Files\LimeWire
2008-05-20 12:32 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 00:11 376,832 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\msinfo.dll
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2003-08-27 20:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2002-07-26 22:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2002-05-10 21:49 10,283,872 ----a-w C:\Program Files\WinDVD40 Plus.exe
2002-05-10 01:13 109 ----a-w C:\Program Files\WinDVD 4.0 Plus Serial.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-08 15:00 28739]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 20:23 68856]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 19:16 454784]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXBRKsk"="C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 09:57 294912]
"Lexmark 3100 Series"="C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-03 21:33 106496]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 11:27 28672]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26 406016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 08:32 5537792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-02-24 08:32 86016]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 15:20 94208]
"FLMOFFICE4DMOUSE"="C:\Program Files\Office Mouse\moffice.exe" [2006-03-30 11:12 806912]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-08 15:00 28739]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 07:24 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-02 15:15 1232152]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 12:10 221184]
"DMXLauncher"="C:\Program Files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 01:07 102400]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-07-31 09:00 1116920]
"nwiz"="nwiz.exe" [2005-02-24 08:32 1495040 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 02:01 437160]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 20:23 68856]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 20:23 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
ExpressPLNRnote.lnk - C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe [2006-01-16 16:28:06 28200]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-06-21 23:56:14 282624]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-08-08 15:00:00 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.I420"= vdrcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Wilmas^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Wilmas^Start Menu^Programs^Startup^PowerReg Scheduler.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^Wilmas^Start Menu^Programs^Startup^Sonic INSTALLit! Setup.lnk]
backup=C:\WINDOWS\pss\Sonic INSTALLit! Setup.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsConfigs
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 08:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2002-07-24 21:20 28672 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 07:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2005-03-08 22:13 1695744 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a------ 2001-10-05 19:34 24576 C:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SCardDrv"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=
"C:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:*:Disabled:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:*:Disabled:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-02 15:15]
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 03:00]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-01 20:06]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-02 15:15]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-02 15:15]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-02 15:15]
S2 DVC150;DVC 150B;C:\WINDOWS\system32\Drivers\dvc150b.sys [2003-11-14 12:50]
S3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gmfiltr.sys [2001-08-16 10:52]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-04 11:48:09 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-07-11 19:00:00 C:\WINDOWS\Tasks\LiveUpdate - Norton AntiVirus.job"
- C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
"2008-07-14 02:11:04 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{4ccbe660-e05f-430d-89a1-423a131f8e77} - C:\WINDOWS\system32\fpivmf.dll
BHO-{ED1FD0F6-CB90-4AB9-A91B-035BC01967A1} - C:\WINDOWS\system32\byXOfDwU.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-13 21:08:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Documents and Settings\Wilmas\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\DB\{FF7BB5DC-ED44-486B-A526-AED2C5E1FFBD}.xml 913 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Office Mouse\mouse32a.dat
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-07-13 21:22:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-14 02:21:54
ComboFix2.txt 2008-07-09 18:53:14
ComboFix3.txt 2008-04-29 15:32:17
ComboFix4.txt 2008-04-15 17:04:13

Pre-Run: 89,200,824,320 bytes free
Post-Run: 89,260,711,936 bytes free

238 --- E O F --- 2008-07-13 15:01:38


Thanks Again
Wilma

#12 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 16 July 2008 - 02:31 PM

HI

Looks a lot better... :thumbsup:

Empty/delete your C:\Documents and Settings\Wilmas\.housecall6.6\Quarantine .. not the folder, the contents ...

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

Then please Run a new Kaspersky Online Scan & post the new report :blink:

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#13 wilmas

wilmas
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 21 July 2008 - 12:01 PM

Steam

Sorry it has taken so long to reply, I had to run the Kaspersky scan 4 times, one time I forgot to save the log report and two other times the computer would freeze up on me and I couldnt even view the log report much less save it. I finally got it though. Im having to send this back to you on another computer, mine has went crazy. I can get online and my home page comes up but my google web search has quit working and when I search msn I get Bleeping computers web site but I couldnt log in, it keeps telling me that the web page could not be found. I dont know what is going on... I had another virus detection warning and I keep getting webpage popups, everything from car sales popups to match making popups. The virus detection warning that came up this morning was C;\WINDOWS\system32\geBrrOHW.dll and C:WINDOWS\system32\ssqPjhfG.dll .....

Here is the Kaspersky log report you requested.

Why do I keep getting popups, is it the effects of the viruses on my computer?
Thanks
Wilma

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, July 20, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, July 20, 2008 15:06:28
Records in database: 977333
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 152928
Threat name: 4
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 05:59:46


File name / Threat name / Threats count
C:\WINDOWS\system32\ssqPjhfG.dll/C:\WINDOWS\system32\ssqPjhfG.dll Infected: Trojan.Win32.Monderb.ny 3
C:\WINDOWS\system32\wvUkKcDS.dll/C:\WINDOWS\system32\wvUkKcDS.dll Infected: Trojan.Win32.Monderb.ny 1
C:\Documents and Settings\Wilmas\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.55321 Infected: Trojan.Win32.Agent.uvi 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP221\A0030051.exe Infected: Trojan.Win32.Agent.uvi 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP222\A0030107.exe Infected: Trojan-Downloader.Win32.VB.fen 1
C:\WINDOWS\SYSTEM32\carH18\carH182328.exe Infected: Trojan-Downloader.Win32.VB.fen 1
C:\WINDOWS\SYSTEM32\geBtQgDu.dll Infected: Trojan.Win32.Monderb.ny 1
C:\WINDOWS\SYSTEM32\hxjnltfy.dll Infected: Trojan.Win32.Monder.anu 1
C:\WINDOWS\SYSTEM32\ssqPjhfG.dll Infected: Trojan.Win32.Monderb.ny 1
C:\WINDOWS\SYSTEM32\urqQhEXN.dll Infected: Trojan.Win32.Monderb.ny 1
C:\WINDOWS\SYSTEM32\wvUkKcDS.dll Infected: Trojan.Win32.Monderb.ny 1

The selected area was scanned.

#14 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 21 July 2008 - 03:42 PM

Hi Wilma

Why do I keep getting popups, is it the effects of the viruses on my computer?


Yes ... your logs were clean ... if you'd managed to get that KASPERSKY ONLINE SCAN back to me quicker, we may have been able to stop this last outbreak before it got a foothold ... speed is the essence when cleaning this stuff up, if we miss just one, it can come flooding back ...

I need you to run some more scans now ... this time I'd like you to start with a DSS scan (Deckard's System Scanner)

Download Deckard's System Scanner (formerly Comboscan) to your Desktop.

Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
5. Then do the same with extra.txt

Note: you'll find extra.txt here :- C:\Deckard\System Scanner\extra.txt

Please remember to post BOTH logs ...

THEN ... run another Malwarebytes' Anti-Malware scan & post that log as well ...

Get the logs back as soon as you can, then we'll take it from there :thumbsup:

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#15 wilmas

wilmas
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 22 July 2008 - 09:10 AM

Steam

I did all the scans and reposted them as fast as I could, but remember I had to save the logs, move them to a flash drive and paste to this website via another computer. Mine still wont let me get on this site. On the MBAM I did what you had told me to do in a earlier e-mail "if an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.
Hope I did the right thing, as far as removing selected.

Here is all three logs that you requested.

Thanks
Wilma



Deckard's System Scanner v20071014.68
Run by Wilmas on 2008-07-22 08:26:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
8: 2008-07-22 13:26:13 UTC - RP225 - Deckard's System Scanner Restore Point
7: 2008-07-22 09:45:07 UTC - RP224 - System Checkpoint
6: 2008-07-21 00:49:09 UTC - RP223 - System Checkpoint
5: 2008-07-19 13:39:37 UTC - RP222 - Last known good configuration
4: 2008-07-19 13:39:19 UTC - RP221 - Installed Adobe Photoshop


-- First Restore Point --
1: 2008-07-19 13:39:18 UTC - RP218 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Wilmas.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:41 AM, on 7/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Office Mouse\moffice.exe
C:\Program Files\Office Mouse\MOUSE32A.DAT
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Documents and Settings\Wilmas\winlogon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Wilmas\Local Settings\Temporary Internet Files\Content.IE5\QO6LHTMF\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Wilmas.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {b69a9db4-d0a1-4722-b56b-f20757a29cdf} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {79882BD6-E34A-4F11-B725-6DCE85B2CD5D} - C:\WINDOWS\system32\geBrrOHW.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {A2A792D8-2B7A-44E6-8E66-74B1A6E12AE7} - C:\WINDOWS\system32\geBrrQig.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {f36086d2-4e21-0f4a-4364-7496591c675c} - {c576c195-6947-4634-a4f0-12e42d68063f} - C:\WINDOWS\system32\tavzzs.dll
O2 - BHO: (no name) - {DB036A52-3A88-466B-BD39-05A6D9D9B18A} - C:\WINDOWS\system32\ssqPjhfG.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: (no name) - {b69a9db4-d0a1-4722-b56b-f20757a29cdf} - (no file)
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office Mouse\moffice.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Wilmas\winlogon.exe
O4 - HKLM\..\Run: [0c3382ad] rundll32.exe "C:\WINDOWS\system32\iqnxnyha.dll",b
O4 - HKLM\..\Run: [BM0f00b131] Rundll32.exe "C:\WINDOWS\system32\fnorknws.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ExpressPLNRnote.lnk = C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205001658765
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: ssqPjhfG - ssqPjhfG.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 11646 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.js - JSFile - shell\open\command - C:\WINDOWS\System32\WScript.exe "%1" %*
.vbs - VBSFile - shell\open\command - C:\WINDOWS\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R1 DVDVRRdr_xp - c:\windows\system32\drivers\dvdvrrdr_xp.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; Pinnacle Systems GmbH; asapi>
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete>
R3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>

S3 genmcmn (Scroll Mouse Driver) - c:\windows\system32\drivers\gmfiltr.sys <Not Verified; KYE Systems Corp.; Scroll Mouse Driver>
S3 moufiltr (Chic Tech Mouse Filter Driver) - c:\windows\system32\drivers\moufiltr.sys <Not Verified; Chic Tech.; Chic Tech.>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S3 I2ocdd -
S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-22 02:06:43 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-07-21 14:00:00 296 --a------ C:\WINDOWS\Tasks\LiveUpdate - Norton AntiVirus.job
2008-07-18 06:48:29 438 --a------ C:\WINDOWS\Tasks\EasyShare Registration Task.job


-- Files created between 2008-06-22 and 2008-07-22 -----------------------------

2008-07-21 13:13:11 0 d-------- C:\Program Files\PhotoMix
2008-07-21 10:42:27 32256 --a------ C:\WINDOWS\system32\yayyVolm.dll
2008-07-21 09:37:00 82432 --a------ C:\WINDOWS\system32\iqnxnyha.dll
2008-07-21 09:34:06 102400 --a------ C:\WINDOWS\system32\tavzzs.dll
2008-07-21 09:34:00 102400 --a------ C:\WINDOWS\system32\ubtanfox.dll
2008-07-21 09:31:02 94208 --a------ C:\WINDOWS\system32\fnorknws.dll
2008-07-20 09:45:43 0 d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-20 09:31:36 102400 --a------ C:\WINDOWS\system32\kfycna.dll
2008-07-20 09:31:31 102400 --a------ C:\WINDOWS\system32\vnowyxcl.dll
2008-07-20 09:29:11 93184 --a------ C:\WINDOWS\system32\wedyqcbk.dll
2008-07-20 09:28:29 846010 --ahs---- C:\WINDOWS\system32\WHOrrBeg.ini2
2008-07-20 09:25:00 32256 --a------ C:\WINDOWS\system32\wvUkKcDS.dll
2008-07-19 08:40:42 102400 --a------ C:\WINDOWS\system32\rzoxme.dll
2008-07-19 08:40:37 102400 --a------ C:\WINDOWS\system32\dgnfrwjs.dll
2008-07-19 08:40:12 93696 --a------ C:\WINDOWS\system32\qeageoeb.dll
2008-07-19 08:39:08 887591 --ahs---- C:\WINDOWS\system32\giQrrBeg.ini2
2008-07-19 08:33:56 0 d-------- C:\WINDOWS\system32\carH18
2008-07-19 08:33:54 0 d-------- C:\Temp
2008-07-19 08:33:52 32256 --a------ C:\WINDOWS\system32\urqQhEXN.dll
2008-07-19 08:33:41 77 --a------ C:\Documents and Settings\Wilmas\2567.bat
2008-07-19 08:32:20 53248 ---hs---- C:\Documents and Settings\Wilmas\winlogon.exe
2008-07-19 08:26:53 0 d-------- C:\Program Files\Live_TV
2008-07-12 14:14:35 0 d-------- C:\Documents and Settings\Wilmas\Application Data\Malwarebytes
2008-07-12 14:14:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-12 14:14:23 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-11 19:19:45 0 d-------- C:\Program Files\Sun
2008-07-03 16:15:43 0 d-------- C:\Program Files\Conduit
2008-06-30 10:33:19 4096 --a------ C:\WINDOWS\d3dx.dat
2008-06-30 10:33:15 0 d-------- C:\Documents and Settings\Wilmas\Application Data\Wildfire
2008-06-30 10:32:42 0 d-------- C:\Program Files\Tumblebugs
2008-06-30 10:31:08 40960 --a------ C:\WINDOWS\system32\Fish Tycoon.scr
2008-06-30 10:31:04 0 d-------- C:\Program Files\Fish Tycoon
2008-06-28 08:55:40 0 d-------- C:\Program Files\InterActual
2008-06-28 08:51:20 0 d-------- C:\WINDOWS\system32\DLA
2008-06-28 08:47:44 0 d-------- C:\Program Files\SightSpeed
2008-06-28 08:43:13 0 d-------- C:\Program Files\Common Files\SightSpeed
2008-06-25 08:00:43 0 d-------- C:\Documents and Settings\Wilmas\Application Data\Picaboo


-- Find3M Report ---------------------------------------------------------------

2008-07-21 18:22:23 276740 --a------ C:\logfile
2008-07-19 22:39:16 0 d-------- C:\Program Files\Jewel Quest 2
2008-07-16 10:52:20 0 d-------- C:\Program Files\exPressit S.E. 2.1
2008-07-11 19:19:16 0 d-------- C:\Program Files\Java
2008-07-07 18:54:11 0 d-------- C:\Documents and Settings\Wilmas\Application Data\AVGTOOLBAR
2008-07-02 19:21:35 0 d-------- C:\Documents and Settings\Wilmas\Application Data\Roxio
2008-06-30 11:08:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-30 11:03:40 0 d-------- C:\Program Files\Roxio
2008-06-28 08:50:11 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-06-28 08:50:03 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-06-28 08:45:33 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-06-28 08:43:13 0 d-a------ C:\Program Files\Common Files
2008-06-28 08:26:07 0 d-------- C:\Program Files\Dell
2008-06-27 09:58:34 0 d-------- C:\Program Files\Picasa2
2008-06-12 19:57:29 91 --a------ C:\WINDOWS\popcinfo.dat
2008-06-06 11:00:39 0 d-------- C:\Documents and Settings\Wilmas\Application Data\AdobeUM
2008-06-03 20:29:54 0 d-------- C:\Program Files\Messenger
2008-06-03 20:29:26 0 d-------- C:\Program Files\Movie Maker
2008-06-03 20:25:41 0 d-------- C:\Program Files\Windows NT
2008-05-30 15:07:44 0 d-------- C:\Program Files\Jewel Quest
2008-05-29 07:55:23 0 d-------- C:\Program Files\LimeWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79882BD6-E34A-4F11-B725-6DCE85B2CD5D}]
C:\WINDOWS\system32\geBrrOHW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
07/02/2008 03:15 PM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2A792D8-2B7A-44E6-8E66-74B1A6E12AE7}]
C:\WINDOWS\system32\geBrrQig.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c576c195-6947-4634-a4f0-12e42d68063f}]
07/21/2008 09:34 AM 102400 --a------ C:\WINDOWS\system32\tavzzs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB036A52-3A88-466B-BD39-05A6D9D9B18A}]
C:\WINDOWS\system32\ssqPjhfG.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [07/02/2008 03:15 PM 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXBRKsk"="C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe" [06/13/2003 09:57 AM]
"Lexmark 3100 Series"="C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe" [09/03/2003 09:33 PM]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [08/13/2003 11:27 AM]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [03/10/2004 04:26 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [02/24/2005 08:32 AM]
"nwiz"="nwiz.exe" [02/24/2005 08:32 AM C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [02/24/2005 08:32 AM]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [08/27/2003 03:20 PM]
"FLMOFFICE4DMOUSE"="C:\Program Files\Office Mouse\moffice.exe" [03/30/2006 11:12 AM]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [08/08/2000 03:00 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 07:24 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/02/2008 03:15 PM]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [08/10/2006 12:10 PM]
"DMXLauncher"="C:\Program Files\Roxio\Media Experience\DMXLauncher.exe" [08/14/2006 01:07 AM]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [07/31/2006 09:00 AM]
"Windows Logon Applicationedc"="C:\Documents and Settings\Wilmas\winlogon.exe" [06/27/2008 06:38 PM]
"0c3382ad"="C:\WINDOWS\system32\iqnxnyha.dll" [07/21/2008 09:37 AM]
"BM0f00b131"="C:\WINDOWS\system32\fnorknws.dll" [07/21/2008 09:31 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 07:12 PM]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [08/08/2000 03:00 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/14/2007 08:23 PM]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [03/15/2007 07:16 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 09:05 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\Wilmas\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]
DESKTOP.INI [9/3/2002 10:00:00 AM]
ExpressPLNRnote.lnk - C:\Program Files\Creative Home\Hallmark Card Studio Express\Planner\PLNRnote.exe [1/16/2006 4:28:06 PM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [6/21/2007 11:56:14 PM]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2/13/2004 3:12:08 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [8/8/2000 3:00:00 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{DB036A52-3A88-466B-BD39-05A6D9D9B18A}"= C:\WINDOWS\system32\ssqPjhfG.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqPjhfG]
ssqPjhfG.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll 12/20/2001 10:34 PM 24576 C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geBrrOHW

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Wilmas^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Wilmas^Start Menu^Programs^Startup^PowerReg Scheduler.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Wilmas^Start Menu^Programs^Startup^Sonic INSTALLit! Setup.lnk]
backup=C:\WINDOWS\pss\Sonic INSTALLit! Setup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsConfigs]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
C:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SCardDrv"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-07-22 08:29:44 ------------







Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 52%
Physical Memory (total/avail): 767 MiB / 362.67 MiB
Pagefile Memory (total/avail): 1874.98 MiB / 1391.21 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1906.68 MiB

C: is Fixed (NTFS) - 111.72 GiB total, 80.92 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Fixed (FAT32) - 149.01 GiB total, 114.85 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD1200JD-75GBB0 - 111.76 GiB - 2 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 111.72 GiB - C:

\\.\PHYSICALDRIVE2 - OEI-USB CF/SM/SD/MS USB Device

\\.\PHYSICALDRIVE1 - WD 1600JB External USB Device - 149.05 GiB - 1 partition
\PARTITION0 - Unknown - 149.05 GiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Wilmas\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WILMA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Wilmas
LOGONSERVER=\\WILMA
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Sonic Shared;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared;C:\Program Files\AVG\AVG8
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Wilmas\LOCALS~1\Temp
TMP=C:\DOCUME~1\Wilmas\LOCALS~1\Temp
USERDOMAIN=WILMA
USERNAME=Wilmas
USERPROFILE=C:\Documents and Settings\Wilmas
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Wilmas (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {637099FB-45FD-4BC7-9651-6FB540DBB749}
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
--> MsiExec.exe /I{0D330013-4A99-46D6-83C6-2C959C68DBFF}
--> MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
--> MsiExec.exe /I{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}
--> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
--> MsiExec.exe /I{26792CA7-D87A-4DBE-896B-C2F66B344511}
--> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
--> MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
--> MsiExec.exe /I{637099FB-45FD-4BC7-9651-6FB540DBB749}
--> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
--> MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
--> MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}
--> MsiExec.exe /I{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}
--> MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
--> MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}
Algorithmix Voice Changer Alien --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94D8046F-3F74-466E-B6B3-6621CB467A4F}\setup.exe" -l0x9
Algorithmix Voice Changer Robot --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6D5A9F7F-21A8-425C-889B-87D4535A77B3}\setup.exe" -l0x9
Apple Mobile Device Support --> MsiExec.exe /I{763E8D6C-0098-4FF4-801A-3F311D2D9D80}
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Baby --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DE98DCB3-8A2F-429C-B765-E4A711302FF8}\setup.exe" -l0x9
Bejeweled 2 Deluxe 1.0 --> C:\Program Files\PopCap Games\Bejeweled 2 Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Bejeweled 2 Deluxe\Install.log"
Bravo Studio Collection --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BA6A2B9-92FE-49CA-9DD0-9C5D61E284A9}\setup.exe" -l0x9
Bravo Studio Volume 1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{561B960D-6FDA-428C-9796-4C3CCC598DB9}\setup.exe" -l0x9
Bravo Studio Volume 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{20326E7B-066B-433C-A648-2E7D4F5EAC2E}\setup.exe" -l0x9
Bursting Bubbles Deluxe 3.0 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Bursting Bubbles Deluxe\irunin.ini"
BWPlugins --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1F4AB00-FEDD-4CB3-9DC9-7F07F79DFE66}\setup.exe" -l0x9
BWPLUGINS 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{54BA5BAD-34F6-4968-B3BB-95954511C058}\setup.exe" -l0x9
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Chuzzle Deluxe 1.0 --> C:\Program Files\PopCap Games\Chuzzle Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Chuzzle Deluxe\Install.log"
Colorize 1.0.0 plugin for Studio 9 --> "C:\Program Files\Pinnacle\Studio 9\plugins\rtfx\unins001.exe"
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Conexant SmartHSFi V.9x 56K DF PCI Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2702\HXFSETUP.EXE -U -IDel8d8xk.INF
Cubis Deluxe --> C:\PROGRA~1\FRESHG~1\CUBISD~1\UNWISE.EXE C:\PROGRA~1\FRESHG~1\CUBISD~1\INSTALL.LOG
Cypress USB Mass Storage Driver Installation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0695EE-ED29-4D96-BD77-2A9A17EDF0D6}\Setup.exe" -l0x9 NotFirstInstall
Dangerous Hunts 2 --> MsiExec.exe /I{852940E0-6753-4848-BD4A-18382A3C2C6E}
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Dell Support 5.0.0 (766) --> rundll32 C:\PROGRA~1\DELLSU~1\AUInst.dll,ExUninstall
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Drivers Install For Linksys Easylink Advisor --> MsiExec.exe /I{A1960A82-DB70-474D-A86B-FA74466103C6}
DVDSentry --> MsiExec.exe /I{98DF85D9-96C0-4F57-A92E-C3539477EF5E}
Dynomite Deluxe 2.56k --> C:\Program Files\PopCap Games\Dynomite Deluxe\PopUninstall.exe C:\Program Files\PopCap Games\Dynomite Deluxe\Install.log
Dynomite Editor 1.00 --> C:\Program Files\PopCap Games\Dynomite Deluxe\UnGins.exe "C:\Program Files\PopCap Games\Dynomite Deluxe\install.log"
DziedzicPacks 1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8D17BC9C-8A70-42C6-912F-6BDC0D6C393A}\setup.exe" -l0x9
DziedzicPacks 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4569527C-430C-4C42-9E60-CF548E154A82}\setup.exe" -l0x9
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{42938595-0D83-404D-9F73-F8177FDD531A}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC --> MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt --> MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
exPressit S.E. 2.1 --> "C:\Program Files\exPressit S.E. 2.1\UninstallerData\Uninstall exPressit S.E. 2.1.exe"
eZedia eZeMatte --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F55D14-39E0-4415-B1A4-3AF63A727216}\setup.exe" -l0x9
Family Tree Maker 2005 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A4004E8B-6A95-4FA4-AA05-731FC6510474}\Setup.exe" -l0x9
fflink --> MsiExec.exe /I{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}
Fish Tycoon --> "C:\Program Files\Fish Tycoon\unins000.exe"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Hallmark Card Studio Express --> MsiExec.exe /X{E7875036-3CFC-4F0F-A470-8EADFFE43F6C}
HFX PRO for Studio --> C:\WINDOWS\unvise32.exe C:\Program Files\Pinnacle\HFX PRO for Studio\uninstal.log
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HL-Effects for Pinnacle Studio 9 - V1.3 --> "C:\Program Files\Pinnacle\Studio 9\unins000.exe"
Hollywood FX 5.5 Additional Effects --> C:\WINDOWS\unvise32.exe C:\Program Files\Pinnacle\Hollywood FX for Studio\5.5\unextralog
Hollywood FX Pack 26 - Extra FX --> C:\WINDOWS\unvise32.exe C:\WINDOWS\unextrafx.log
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Intel® PRO Network Connections Drivers --> Prounstl.exe
Intel® PROSet --> MsiExec.exe /I{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
Jasc Paint Shop Pro 8 Dell Edition --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Jewel Quest (remove only) --> "C:\Program Files\Jewel Quest\Uninstall.exe"
Jewel Quest 2 --> "C:\Program Files\Jewel Quest 2\ReflexiveArcade\unins000.exe"
Jigsaw Puzzle Platinum Edition Deluxe --> C:\PROGRA~1\JIGS@W~1\UNWISE.EXE C:\PROGRA~1\JIGS@W~1\INSTALL.LOG
Juno Bleach 1.0.0 plugin for Studio 9 --> "C:\Program Files\Pinnacle\Studio 9\plugins\rtfx\unins000.exe"
kgcbaby --> MsiExec.exe /I{E18B549C-5D15-45DA-8D8F-8FD2BD946344}
kgcbase --> MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
kgchday --> MsiExec.exe /I{11F3F858-4131-4FFA-A560-3FE282933B6E}
kgchlwn --> MsiExec.exe /I{03EDED24-8375-407D-A721-4643D9768BE1}
kgcinvt --> MsiExec.exe /I{9BD54685-1496-46A5-AB62-357CD140ED8B}
kgckids --> MsiExec.exe /I{693C08A7-9E76-43FF-B11E-9A58175474C4}
kgcmove --> MsiExec.exe /I{A1588373-1D86-4D44-86C9-78ABD190F9CC}
kgcvday --> MsiExec.exe /I{8A8664E1-84C8-4936-891C-BC1F07797549}
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140002_35f76\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Lexmark 3100 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBRUN5C.EXE -dLexmark 3100 Series
LimeWire 4.18.1 --> "C:\Program Files\LimeWire\uninstall.exe"
Linksys EasyLink Advisor 1.6 (0032) --> rundll32 C:\PROGRA~1\LINKSY~1\AUInst.dll,ExUninstall
Live_TV Toolbar --> C:\PROGRA~1\Live_TV\UNWISE.EXE C:\PROGRA~1\Live_TV\INSTALL.LOG
Luxor --> C:\PROGRA~1\GAMEHO~1\Luxor\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\Luxor\INSTALL.LOG
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Word 2000 SR-1 --> MsiExec.exe /I{00170409-78E1-11D2-B60F-006097C998E7}
Microsoft Works 2001 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2001\Setup\Launcher.exe E:\
Microsoft Works 6.0 --> MsiExec.exe /I{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}
Microsoft Works 6.0 --> MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}
Microsoft Works and Money 2002 Setup Launcher --> C:\Program Files\Microsoft Works and Money 2002\Setup\Launcher.exe D:\
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{5F629FE8-5B4C-4863-937A-AFC2961F7DD3}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Moving Picture Full --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BBBA6A1-A15F-44A0-A5C0-3F7FAE9031BC}\setup.exe" -l0x9
Moving Picture LE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD16FF3B-3844-45F5-BA8C-AD630FCA9B8E}\setup.exe" -l0x9
Mpeg Layer3 Codec FHG-Radium v1.263 --> C:\WINDOWS\UNWISE.EXE C:\audio\L3CODE~1\INSTALL.LOG
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
netbrdg --> MsiExec.exe /I{4537EA4B-F603-4181-89FB-2953FC695AB1}
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
NewBlue Audio Essentials 1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3664AAFB-1ACB-4ACA-88E0-F666812055A0}\setup.exe" -l0x9
NewBlue Audio Essentials 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AF597BD-5F6B-476A-98D1-19C6A85F0B7A}\setup.exe" -l0x9
NewBlue Audio Essentials 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{46C2EAA4-E790-4DD2-9873-B4FDA6550755}\setup.exe" -l0x9
NewBlue Audio Essentials Collection --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FA75A1DD-A042-47AF-A115-8B8D043CD134}\setup.exe" -l0x9
Norton WMI Update --> MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
NSIS JPsEffects --> "C:\Program Files\JPsEffects\uninstall.exe"
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Office Mouse --> C:\Program Files\Office Mouse\uninst00.exe
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
OLYMPUS Master --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{BA820A24-704B-428D-9904-71A10DAC1372} /l1033 /zUNINSTALL
OpenOffice.org Installer 1.0 --> MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
PConPoint v3.5 --> "C:\Program Files\PConPoint\unins000.exe"
Photo Explosion Special Edition --> MsiExec.exe /X{DD040AAA-F295-492B-AD91-C8DC24488273}
PhotoMix 5.3 --> "C:\Program Files\PhotoMix\unins000.exe"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Pinnacle Hollywood FX 5 --> C:\WINDOWS\unvise32.exe C:\Program Files\Pinnacle\Hollywood FX 5\uninstal.log
Pinnacle Hollywood FX for Studio --> C:\WINDOWS\unvise32.exe C:\Program Files\Pinnacle\Hollywood FX for Studio\5.5\uninstal.log
Pinnacle PCI Performance Enhancer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3E5A81BA-4702-490A-B729-0BFF6E7CBF96}\setup.exe" -l0x9
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Profound effect Bloom --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D3EF71E-3B3A-4D87-ABF9-B11F5C91D5E3}\setup.exe" -l0x9
Profound effect Digital Camera --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3A11784-BC75-42BE-9F14-24FAB53402ED}\setup.exe" -l0x9
Profound effect Generic Cam recorder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{81BB044C-3CDD-441C-9A71-EDE87E4DA4C9}\setup.exe" -l0x9
Profound effect Hi end Cam recorder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48299665-C4D7-4A89-9AD8-2EE4A014F4C6}\setup.exe" -l0x9
Profound effect Hi end SLR C11 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{91389C3E-32CA-4550-BB1F-FF678C04A099}\setup.exe" -l0x9
Profound effect LCD grid --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BB9C38AF-398E-4872-989A-B1EE22CE2E98}\setup.exe" -l0x9
Profound effect Old SLR --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDB3C993-9358-406A-A399-0F36CC3FA290}\setup.exe" -l0x9
Profound effect Scan lines --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6FECF6D0-642A-4AE2-A3F2-139D0C56CA95}\setup.exe" -l0x9
Profound effect SLR --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E6983FC6-F732-449E-A706-340A39932904}\setup.exe" -l0x9
Profound effect Video noise --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FEFB246A-F9A4-43C0-967E-74520E143D43}\setup.exe" -l0x9
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Roxio Content 9 --> MsiExec.exe /X{787F2DC2-1699-44FA-A72F-9107166AF9CC}
Roxio Drag-to-Disc --> MsiExec.exe /I{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}
Roxio Easy Media Creator 7 --> MsiExec.exe /I{A99C6296-A311-4D6C-9602-53B4241921D5}
Roxio Easy Media Creator 9 Suite --> MsiExec.exe /I{938B1CD7-7C60-491E-AA90-1F1888168240}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
SightSpeed (remove only) --> "C:\Program Files\SightSpeed\uninst.exe"
skin0001 --> MsiExec.exe /I{5316DFC9-CE99-4458-9AB3-E8726EDE0210}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
SmartSound Quicktracks Plugin --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
Socialnetworking Helper Adssite --> C:\WINDOWS\system32\AdssiteSocial-uninstall.exe
staticcr --> MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
Studio 9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E491AB7-4589-48CA-9CBB-874CB2788391}\Setup.exe" -l0x9 UNINSTALL
Studio 9.4 Patch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{16E217EA-C3E0-402D-8D4F-6189DB74497A}\setup.exe" -l0x9 UNINSTALL
Super Bounce Out! from GameHouse --> C:\PROGRA~1\GAMEHO~1\BOUNCE~1\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\BOUNCE~1\INSTALL.LOG
Tarzan --> C:\MYGAME~1\1TIMET~1\Tarzan\UNWISE.EXE C:\MYGAME~1\1TIMET~1\Tarzan\INSTALL.LOG
tooltips --> MsiExec.exe /I{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}
Tumblebugs --> C:\PROGRA~1\TUMBLE~1\UNWISE.EXE C:\PROGRA~1\TUMBLE~1\INSTALL.LOG
UFX Animals --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1D1C7B00-EA0D-4804-A5C3-2792BBD1D7A7}\setup.exe" -l0x9
UFX Classic Foley --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E4B5BDA2-8FC1-4B0D-9639-B28E001E8A81}\setup.exe" -l0x9
UFX Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{05CE9B3C-42CD-41F4-8307-75DDB5B8C30A}\setup.exe" -l0x9
UFX Vehicles2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3C7F3158-9677-4EA7-83ED-207FFDD33FA3}\setup.exe" -l0x9
USB Storage Adapter FX (SM1) --> SM1UN.EXE SM1FX_AT
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Virtual Earth 3D (Beta) --> MsiExec.exe /X{619B8475-0F48-41B7-A370-5147F7092989}
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
WindowBlinds --> C:\PROGRA~1\OBJECT~1\WINDOW~1\UNWISE.EXE C:\PROGRA~1\OBJECT~1\WINDOW~1\INSTALL.LOG
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
WordPerfect Office 11 --> MsiExec.exe /I{54F90B55-BEB3-4F0D-8802-228822FA5921}
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
Zuma Deluxe RA --> C:\PROGRA~1\ZUMADE~1\UNWISE.EXE C:\PROGRA~1\ZUMADE~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type40194 / Warning
Event Submitted/Written: 07/21/2008 00:52:49 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type40184 / Warning
Event Submitted/Written: 07/21/2008 11:08:16 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type40176 / Warning
Event Submitted/Written: 07/21/2008 10:35:38 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type40175 / Error
Event Submitted/Written: 07/21/2008 10:24:34 AM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 754232498.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type40174 / Error
Event Submitted/Written: 07/21/2008 10:24:25 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application ctfmon.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x77124ba2.
Processing media-specific event for [ctfmon.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type42289 / Error
Event Submitted/Written: 07/22/2008 04:55:21 AM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Event Record #/Type42287 / Warning
Event Submitted/Written: 07/22/2008 03:47:10 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type42285 / Error
Event Submitted/Written: 07/22/2008 00:47:44 AM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Event Record #/Type42272 / Error
Event Submitted/Written: 07/21/2008 02:07:59 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The DVC 150B service failed to start due to the following error:
%%1058

Event Record #/Type42255 / Error
Event Submitted/Written: 07/21/2008 00:55:51 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The DVC 150B service failed to start due to the following error:
%%1058



-- End of Deckard's System Scanner: finished at 2008-07-22 08:29:44 ------------








Malwarebytes' Anti-Malware 1.22
Database version: 978
Windows 5.1.2600 Service Pack 3

8:51:57 AM 7/22/2008
mbam-log-7-22-2008 (08-51-57).txt

Scan type: Quick Scan
Objects scanned: 42181
Time elapsed: 5 minute(s), 51 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 11
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 57

Memory Processes Infected:
C:\Documents and Settings\Wilmas\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\iqnxnyha.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\SYSTEM32\tavzzs.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c576c195-6947-4634-a4f0-12e42d68063f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c576c195-6947-4634-a4f0-12e42d68063f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Live_TV (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Live_TV (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live_TV Toolbar (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0c3382ad (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{b69a9db4-d0a1-4722-b56b-f20757a29cdf} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{b69a9db4-d0a1-4722-b56b-f20757a29cdf} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b69a9db4-d0a1-4722-b56b-f20757a29cdf} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows logon applicationedc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm0f00b131 (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Live_TV (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\RadioPlayer (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\rss (Adware.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\tavzzs.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\iqnxnyha.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ahynxnqi.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ubtanfox.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wedyqcbk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Live_TV\INSTALL.LOG (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Live_TV\tbLive.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Live_TV\toolbar.cfg (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Live_TV\UNWISE.EXE (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\LocalSettings.txt (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\ThirdPartyComponents.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\update.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___storage_conduit_com_63_136_CT1360763_Images_1256613422_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___storage_conduit_com_65_64_CT649865_Images_-1611650343_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___storage_conduit_com_65_64_CT649865_Images_-1616510062_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___storage_conduit_com_65_64_CT649865_Images_1256574750_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___storage_conduit_com_65_64_CT649865_Images_1256594985_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___storage_conduit_com_65_64_CT649865_Images_1477248454_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___storage_conduit_com_65_64_CT649865_Images_633211004690737500_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___storage_conduit_com_65_64_CT649865_Images_633323304820925000_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___storage_conduit_com_65_64_CT649865_Images_633323304996393750_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___storage_conduit_com_65_64_CT649865_Images_633323305088425000_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___storage_conduit_com_65_64_CT649865_Images_633323305474518750_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___storage_conduit_com_65_64_CT649865_Images_633341279781868750_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___storage_conduit_com_65_64_CT649865_Images_633403616553356250_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___storage_conduit_com_65_64_CT649865_Images_633463264160275000_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___storage_conduit_com_65_64_CT649865_Images_735535110_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___storage_conduit_com_65_64_CT649865_Images_999644891_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___storage_conduit_com_65_64_CT649865_Images_Email-04orange_gif-Colorized-633323306911237500_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___storage_conduit_com_65_64_CT649865_Images_PopUpBlocker-21_gif-comic02-633323306370612500_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___weather_conduit_com_images_weather_Default_cloudy_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___www_conduit_com_bankimages_commandcomps_block_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___www_conduit_com_BankImages_CommandComps_highlighter_dis_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___www_conduit_com_BankImages_CommandComps_highlighter_icon_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___www_conduit_com_Images_ClientImages_radio_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___www_conduit_com_Images_rssImages_rrs16Images_rss01x16green_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___www_conduit_com_Images_rssImages_rrs16Images_rss01x16red_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___www_conduit_com_Images_rssImages_rrs16Images_rss01x16_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___www_conduit_com_Images_rssImages_rrs16Images_rss03x16blue_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___www_conduit_com_Images_SearchEngines_images_search_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___www_conduit_com_Images_SearchEngines_news_search_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___www_conduit_com_Images_SearchEngines_site_search_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\CacheIcons\http___www_conduit_com_Images_SearchEngines_weather_search_gif.gif (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\RadioPlayer\Predefined_Media_List.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\rss\aslc=0&floc=1&sabfmts=2&saprclo=150&sascs=2&saprchi=550&saaff=afepn&ftrv=8&fbfmt=1&ftrt=1&fcl=3&ft=1&frpp=50&customid=&nojspr=y&satitle=new&afmp=&sacat=293&saslop=1&fss=0.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\rss\http___feeds_feedburner_com_metacafe_TYps.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\rss\http___feeds_feedburner_com_metacafe_TYps_structured.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\rss\http___video_google_com_videofeed_type=top100new&num=20&output=rss.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\rss\http___video_google_com_videofeed_type=top100new&num=20&output=rss_structured.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\rss\http___youtube_com_rss_global_top_viewed_today_rss.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\Local Settings\Application Data\Live_TV\rss\http___youtube_com_rss_global_top_viewed_today_rss_structured.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilmas\winlogon.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fnorknws.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\BM0f00b131.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM0f00b131.txt (Trojan.Vundo) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users