Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Trojan, Popups With 404 Error


  • Please log in to reply
13 replies to this topic

#1 Cloud_D

Cloud_D

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 09 May 2008 - 06:21 AM

I think I'm infected with a trojan, although I'm not too sure whether that's the case. I've scanned my system with Spyware Doctor and have the following under quarantine:

- Trojan.Virtumonde
- Trojan.Agent

After that I've scanned with McAcfee and nothing was detected. However, I'm still getting popups when I run IE and Firefox. Could anyone help me take a look? Much appreciated.

Deckard's System Scanner v20071014.68
Run by Daniel on 2008-05-09 18:05:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 86% (more than 75%).
Total Physical Memory: 1023 MiB (1024 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-09 18:06:46
Platform: Windows Vista Service Pack 1 (6.00.6001)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\wininit.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\services.exe
C:\Windows\System32\lsass.exe
C:\Windows\System32\lsm.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\winlogon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SLsvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\Windows\System32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
E:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Windows\System32\taskeng.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Avanquest\Fix-It\mxtask.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
E:\Program Files\Avanquest\Fix-It\mxtask.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\IoctlSvc.exe
C:\Windows\System32\svchost.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
E:\Program Files\Folding@Home\winFAH.exe
E:\Program Files\Spyware Doctor\pctsSvc.exe
E:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Windows\System32\svchost.exe
E:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SearchIndexer.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
E:\Program Files\Folding@Home\FahCore_80.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Windows\System32\VSSVC.exe
C:\Windows\System32\svchost.exe
C:\Program Files\McAfee\MSC\mcshell.exe
C:\Program Files\Common Files\McAfee\Core\mchost.exe
C:\Program Files\McAfee\VirusScan\mcods.exe
C:\Program Files\McAfee\VirusScan\mcvsshld.exe
E:\Program Files\mIRC\mirc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Users\Daniel\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ThreatFire] E:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] E:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [ISTray] "E:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Daniel\AppData\Local\Temp\vtUmMdec.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Daniel\AppData\Local\Temp\geBuRHWN.dll,c
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\rvvpytcw.dll",s
O4 - HKCU\..\Run: [040040a6] rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\ohfoarxa.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Folding@Home 5.03.lnk = E:\Program Files\Folding@Home\winfah.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - E:\Program Files\Avanquest\Fix-It\mxtask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Unknown owner - C:\Program Files\Nero\Nero8\Nero
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\System32\IoctlSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: ThreatFire - PC Tools - E:\Program Files\ThreatFire\TFService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\System32\drivers\XAudio.exe


--
End of file - 11761 bytes

-- Files created between 2008-04-09 and 2008-05-09 -----------------------------

2008-05-09 12:28:37 0 d-------- C:\Program Files\NeroInstall.bak
2008-05-09 12:11:32 0 d-------- C:\Users\All Users\Nero
2008-05-09 12:11:32 0 d-------- C:\Program Files\Nero
2008-05-09 12:11:31 0 d-------- C:\Program Files\Common Files\Nero
2008-05-07 12:15:06 73728 --a------ C:\Windows\system32\GkSui18.EXE
2008-05-07 12:15:06 69632 --a------ C:\Windows\system32\Copy of GkSui18.EXE
2008-05-01 21:10:48 0 d-------- C:\Users\All Users\ZoomBrowser
2008-04-27 22:00:53 0 d-------- C:\Users\Daniel\Desktop
2008-04-27 22:00:50 0 d-------- C:\Windows\WinRAR
2008-04-27 16:56:46 0 d-------- C:\Program Files\Java
2008-04-27 16:56:44 0 d-------- C:\Program Files\Common Files\Java
2008-04-26 19:01:04 0 d-------- C:\Program Files\Canon
2008-04-26 18:59:44 0 d-------- C:\Program Files\Common Files\Canon
2008-04-25 22:42:27 0 d-------- C:\327882R2FWJFW
2008-04-25 22:12:08 0 d-------- C:\Users\All Users\Malwarebytes
2008-04-23 18:18:56 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-04-21 20:55:27 0 d-------- C:\Program Files\AviSynth 2.5
2008-04-20 23:30:18 0 d--h----- C:\Users\All Users\CanonBJ
2008-04-19 22:26:20 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-19 12:15:12 0 d-------- C:\Users\All Users\BVRP Software
2008-04-19 12:13:40 0 dr-hs---- C:\_Backup.RC
2008-04-19 12:13:35 0 d--h----- C:\_Backup
2008-04-19 12:11:23 0 d-------- C:\Users\All Users\Avanquest
2008-04-19 12:06:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-19 10:53:50 0 d-------- C:\Users\All Users\Adobe Systems
2008-04-19 10:39:34 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-19 10:36:43 0 d-------- C:\Users\All Users\Adobe
2008-04-19 10:36:43 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-19 04:01:28 0 d-------- C:\Windows\Panther
2008-04-19 03:06:48 0 d-------- C:\Windows\SoftwareDistribution
2008-04-19 03:04:41 0 d-------- C:\Windows\Debug
2008-04-19 03:02:37 0 d-------- C:\Windows\Prefetch
2008-04-19 02:00:11 0 d-------- C:\Users\All Users\SiteAdvisor
2008-04-19 02:00:11 0 d-------- C:\Program Files\SiteAdvisor
2008-04-19 01:58:25 0 d-------- C:\Program Files\McAfee.com
2008-04-19 01:58:21 0 d-------- C:\Program Files\Common Files\McAfee
2008-04-19 01:58:20 0 d-------- C:\Program Files\McAfee
2008-04-19 01:52:15 0 d-------- C:\Users\All Users\McAfee
2008-04-19 00:18:39 0 d-------- C:\Users\All Users\Messenger Plus!
2008-04-18 16:27:56 0 d-------- C:\Windows\system32\Macromed
2008-04-18 16:18:54 0 d-------- C:\Program Files\uTorrent
2008-04-18 15:59:27 0 d-------- C:\Program Files\iPod
2008-04-18 15:57:45 0 d-------- C:\Program Files\Bonjour
2008-04-18 15:56:59 0 d-------- C:\Program Files\QuickTime
2008-04-18 15:56:58 0 d-------- C:\Users\All Users\Apple Computer
2008-04-18 15:56:26 0 d-------- C:\Program Files\Apple Software Update
2008-04-18 15:55:36 0 d-------- C:\Program Files\Common Files\Apple
2008-04-18 15:55:35 0 d-------- C:\Users\All Users\Apple
2008-04-18 15:45:52 0 d-------- C:\Program Files\Microsoft Works
2008-04-18 15:45:12 0 d-------- C:\Program Files\Microsoft.NET
2008-04-18 15:42:52 0 d-------- C:\Users\All Users\Microsoft Help
2008-04-18 15:42:28 0 dr-h----- C:\MSOCache
2008-04-18 15:37:49 0 d-------- C:\Program Files\Messenger Plus! Live
2008-04-18 15:31:45 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-18 15:31:40 0 d-------- C:\Program Files\Windows Live
2008-04-18 15:30:37 0 d-------- C:\Users\All Users\WLInstaller
2008-04-18 15:14:40 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2008-04-18 15:10:12 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-04-18 15:10:00 0 d-------- C:\Windows\PCHEALTH
2008-04-18 14:49:33 0 d--hs---- C:\Windows\Installer
2008-04-18 14:49:25 0 d-------- C:\Users\All Users\PC Tools
2008-04-18 14:48:00 0 d-a------ C:\Users\All Users\TEMP
2008-04-18 14:31:53 0 d-------- C:\PerfLogs
2008-04-18 14:15:41 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-18 14:01:58 0 d-------- C:\bc4df1d51d879d6c5c156d0475
2008-04-18 13:31:53 0 d-------- C:\Users\All Users\NVIDIA
2008-04-18 13:28:20 0 d-------- C:\Windows\system32\RTCOM
2008-04-18 13:27:11 0 d-------- C:\Program Files\CONEXANT
2008-04-18 12:19:23 0 d-------- C:\Users\Daniel\Contacts
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Templates
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Start Menu
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\SendTo
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Recent
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\PrintHood
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\NetHood
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\My Documents
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Local Settings
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Cookies
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Application Data
2008-04-18 12:19:15 1572864 --ahs---- C:\Users\Daniel\NTUSER.DAT
2008-04-18 12:19:15 0 d--h----- C:\Users\Daniel\AppData
2008-04-18 11:51:30 0 d--hs---- C:\Boot
2008-04-18 11:22:43 0 d-------- C:\$WIN_NT$.~BT
2008-04-18 09:04:39 0 d--hs---- C:\System Volume Information


-- Find3M Report ---------------------------------------------------------------

2008-05-09 18:11:58 0 d-------- C:\Users\Daniel\AppData\Roaming\uTorrent
2008-05-09 12:18:50 0 d-------- C:\Users\Daniel\AppData\Roaming\Nero
2008-05-09 12:11:31 0 d-------- C:\Program Files\Common Files
2008-05-06 22:05:09 0 d-------- C:\Users\Daniel\AppData\Roaming\ZoomBrowser EX
2008-04-30 16:41:24 0 d-------- C:\Users\Daniel\AppData\Roaming\Apple Computer
2008-04-27 22:02:15 0 d-------- C:\Users\Daniel\AppData\Roaming\WinRAR
2008-04-25 22:12:16 0 d-------- C:\Users\Daniel\AppData\Roaming\Malwarebytes
2008-04-21 22:03:00 0 d-------- C:\Users\Daniel\AppData\Roaming\BSplayer Pro
2008-04-21 20:40:53 0 d-------- C:\Users\Daniel\AppData\Roaming\vlc
2008-04-21 18:59:59 0 d-------- C:\Users\Daniel\AppData\Roaming\CopyTrans
2008-04-19 15:22:44 0 d-------- C:\Users\Daniel\AppData\Roaming\Adobe
2008-04-19 14:38:33 0 d-------- C:\Users\Daniel\AppData\Roaming\SiteAdvisor
2008-04-19 12:19:22 0 d-------- C:\Users\Daniel\AppData\Roaming\Mozilla
2008-04-19 12:11:23 0 d-------- C:\Users\Daniel\AppData\Roaming\Avanquest
2008-04-19 11:51:14 0 d-------- C:\Users\Daniel\AppData\Roaming\Media Player Classic
2008-04-19 11:17:30 0 d-------- C:\Users\Daniel\AppData\Roaming\Auslogics
2008-04-19 00:54:54 0 d-------- C:\Users\Daniel\AppData\Roaming\PC Tools
2008-04-18 16:27:59 0 d-------- C:\Users\Daniel\AppData\Roaming\Macromedia
2008-04-18 14:38:34 174 --ahs---- C:\Program Files\desktop.ini
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Sidebar
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Mail
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Calendar
2008-04-18 14:32:38 0 d-------- C:\Program Files\Movie Maker
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Photo Gallery
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Journal
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Collaboration
2008-04-18 14:32:36 0 d-------- C:\Program Files\Windows Defender
2008-04-18 12:19:26 0 d-------- C:\Users\Daniel\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/18/2008 11:38 PM]
"RtHDVCpl"="RtHDVCpl.exe" [10/25/2007 05:52 AM C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [08/28/2007 01:59 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [08/28/2007 01:59 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [08/28/2007 01:59 AM]
"ThreatFire"="E:\Program Files\ThreatFire\TFTray.exe" [04/25/2008 06:52 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 12:01 PM]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [11/21/2006 05:08 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="E:\Program Files\Google\Gmail Notifier\gnotify.exe" [07/16/2005 05:48 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [08/25/2007 05:57 AM]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [02/18/2008 04:29 PM]
"ISTray"="E:\Program Files\Spyware Doctor\pctsTray.exe" [12/10/2007 02:53 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [04/19/2008 10:18 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/18/2008 11:33 PM]
"MSServer"="C:\Users\Daniel\AppData\Local\Temp\vtUmMdec.dll,#1" []
"cmds"="C:\Users\Daniel\AppData\Local\Temp\geBuRHWN.dll,c" []
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [02/28/2008 05:07 PM]
"BM0733733a"="C:\Users\Daniel\AppData\Local\Temp\rvvpytcw.dll,s" []
"040040a6"="C:\Users\Daniel\AppData\Local\Temp\ohfoarxa.dll,b" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"BM0733733a"=Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s

C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]
Folding@Home 5.03.lnk - E:\Program Files\Folding@Home\winfah.exe [5/7/2008 12:14:58 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-05-09 18:13:25 ------------

BC AdBot (Login to Remove)

 


#2 Cloud_D

Cloud_D
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 11 May 2008 - 11:57 AM

Hi,

I found a guide regarding this problem and did a system restore as well as ran a Vundo removal tool. Spyware Doctor's scan indicate that my computer is clean now and the popups aren't appearing anymore. It may be just me but I'm surprised that a vundo infection can be removed that easily, so it would be appreciated if someone could help me take a look.

Thanks a bunch!

Deckard's System Scanner v20071014.68
Run by Daniel on 2008-05-12 00:54:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 1023 MiB (1024 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-12 00:54:49
Platform: Windows Vista Service Pack 1 (6.00.6001)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\wininit.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\services.exe
C:\Windows\System32\lsass.exe
C:\Windows\System32\lsm.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\winlogon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SLsvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\Windows\System32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
E:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\System32\taskeng.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Avanquest\Fix-It\mxtask.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
E:\Program Files\Avanquest\Fix-It\mxtask.exe
C:\Windows\System32\svchost.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
E:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Windows\System32\svchost.exe
E:\Program Files\Spyware Doctor\pctsTray.exe
E:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SearchIndexer.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
E:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\microsoft shared\Windows Live\WLLoginProxy.exe
C:\Windows\System32\Macromed\Flash\FlashUtil9f.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\conime.exe
C:\Program Files\McAfee\VirusScan\mcvsshld.exe
C:\Windows\System32\msiexec.exe
C:\Windows\servicing\TrustedInstaller.exe
E:\Users\Daniel\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ThreatFire] E:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] E:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "E:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - E:\Program Files\Avanquest\Fix-It\mxtask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: ThreatFire - PC Tools - E:\Program Files\ThreatFire\TFService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\System32\drivers\XAudio.exe


--
End of file - 10615 bytes

-- Files created between 2008-04-12 and 2008-05-12 -----------------------------

2008-05-12 00:53:14 368640 --a------ C:\Windows\system32\TwnLib4.dll <Not Verified; Pegasus Imaging Corporation; TwnLib4 - TwainPRO v4.0 - Utility Library>
2008-05-12 00:53:14 802816 --a------ C:\Windows\system32\imagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-05-12 00:53:14 258048 --a------ C:\Windows\system32\imagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-05-12 00:53:13 1757184 --a------ C:\Windows\system32\imagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-05-11 11:10:11 0 d-------- C:\VundoFix Backups
2008-05-10 09:57:26 0 d-------- C:\Program Files\MSXML 4.0
2008-05-09 12:28:37 0 d-------- C:\Program Files\NeroInstall.bak
2008-05-09 12:11:32 0 d-------- C:\Users\All Users\Nero
2008-05-09 12:11:32 0 d-------- C:\Program Files\Nero
2008-05-09 12:11:31 0 d-------- C:\Program Files\Common Files\Nero
2008-05-01 21:10:48 0 d-------- C:\Users\All Users\ZoomBrowser
2008-04-27 22:00:53 0 d-------- C:\Users\Daniel\Desktop
2008-04-27 22:00:50 0 d-------- C:\Windows\WinRAR
2008-04-27 16:56:46 0 d-------- C:\Program Files\Java
2008-04-27 16:56:44 0 d-------- C:\Program Files\Common Files\Java
2008-04-26 19:01:04 0 d-------- C:\Program Files\Canon
2008-04-26 18:59:44 0 d-------- C:\Program Files\Common Files\Canon
2008-04-25 22:42:27 0 d-------- C:\327882R2FWJFW
2008-04-25 22:12:08 0 d-------- C:\Users\All Users\Malwarebytes
2008-04-23 18:18:56 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-04-21 20:55:27 0 d-------- C:\Program Files\AviSynth 2.5
2008-04-20 23:30:18 0 d--h----- C:\Users\All Users\CanonBJ
2008-04-19 22:26:20 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-19 12:15:12 0 d-------- C:\Users\All Users\BVRP Software
2008-04-19 12:13:40 0 dr-hs---- C:\_Backup.RC
2008-04-19 12:13:35 0 d--h----- C:\_Backup
2008-04-19 12:11:23 0 d-------- C:\Users\All Users\Avanquest
2008-04-19 12:06:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-19 10:53:50 0 d-------- C:\Users\All Users\Adobe Systems
2008-04-19 10:39:34 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-19 10:36:43 0 d-------- C:\Users\All Users\Adobe
2008-04-19 10:36:43 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-19 04:01:28 0 d-------- C:\Windows\Panther
2008-04-19 03:06:48 0 d-------- C:\Windows\SoftwareDistribution
2008-04-19 03:04:41 0 d-------- C:\Windows\Debug
2008-04-19 03:02:37 0 d-------- C:\Windows\Prefetch
2008-04-19 02:00:11 0 d-------- C:\Users\All Users\SiteAdvisor
2008-04-19 02:00:11 0 d-------- C:\Program Files\SiteAdvisor
2008-04-19 01:58:25 0 d-------- C:\Program Files\McAfee.com
2008-04-19 01:58:21 0 d-------- C:\Program Files\Common Files\McAfee
2008-04-19 01:58:20 0 d-------- C:\Program Files\McAfee
2008-04-19 01:52:15 0 d-------- C:\Users\All Users\McAfee
2008-04-19 00:18:39 0 d-------- C:\Users\All Users\Messenger Plus!
2008-04-18 16:27:56 0 d-------- C:\Windows\system32\Macromed
2008-04-18 16:18:54 0 d-------- C:\Program Files\uTorrent
2008-04-18 15:59:27 0 d-------- C:\Program Files\iPod
2008-04-18 15:57:45 0 d-------- C:\Program Files\Bonjour
2008-04-18 15:56:59 0 d-------- C:\Program Files\QuickTime
2008-04-18 15:56:58 0 d-------- C:\Users\All Users\Apple Computer
2008-04-18 15:56:26 0 d-------- C:\Program Files\Apple Software Update
2008-04-18 15:55:36 0 d-------- C:\Program Files\Common Files\Apple
2008-04-18 15:55:35 0 d-------- C:\Users\All Users\Apple
2008-04-18 15:45:52 0 d-------- C:\Program Files\Microsoft Works
2008-04-18 15:45:12 0 d-------- C:\Program Files\Microsoft.NET
2008-04-18 15:42:52 0 d-------- C:\Users\All Users\Microsoft Help
2008-04-18 15:42:28 0 dr-h----- C:\MSOCache
2008-04-18 15:37:49 0 d-------- C:\Program Files\Messenger Plus! Live
2008-04-18 15:31:45 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-18 15:31:40 0 d-------- C:\Program Files\Windows Live
2008-04-18 15:30:37 0 d-------- C:\Users\All Users\WLInstaller
2008-04-18 15:14:40 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2008-04-18 15:10:12 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-04-18 15:10:00 0 d-------- C:\Windows\PCHEALTH
2008-04-18 14:49:33 0 d--hs---- C:\Windows\Installer
2008-04-18 14:49:25 0 d-------- C:\Users\All Users\PC Tools
2008-04-18 14:48:00 0 d-a------ C:\Users\All Users\TEMP
2008-04-18 14:31:53 0 d-------- C:\PerfLogs
2008-04-18 14:15:41 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-18 14:01:58 0 d-------- C:\bc4df1d51d879d6c5c156d0475
2008-04-18 13:31:53 0 d-------- C:\Users\All Users\NVIDIA
2008-04-18 13:28:20 0 d-------- C:\Windows\system32\RTCOM
2008-04-18 13:27:11 0 d-------- C:\Program Files\CONEXANT
2008-04-18 12:19:23 0 d-------- C:\Users\Daniel\Contacts
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Templates
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Start Menu
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\SendTo
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Recent
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\PrintHood
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\NetHood
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\My Documents
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Local Settings
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Cookies
2008-04-18 12:19:16 0 d--hs---- C:\Users\Daniel\Application Data
2008-04-18 12:19:15 1310720 --ahs---- C:\Users\Daniel\ntuser.dat
2008-04-18 12:19:15 0 d--h----- C:\Users\Daniel\AppData
2008-04-18 11:51:30 0 d--hs---- C:\Boot
2008-04-18 11:22:43 0 d-------- C:\$WIN_NT$.~BT
2008-04-18 09:04:39 0 d--hs---- C:\System Volume Information


-- Find3M Report ---------------------------------------------------------------

2008-05-12 00:55:22 0 d-------- C:\Users\Daniel\AppData\Roaming\uTorrent
2008-05-09 12:18:50 0 d-------- C:\Users\Daniel\AppData\Roaming\Nero
2008-05-09 12:11:31 0 d-------- C:\Program Files\Common Files
2008-05-06 22:05:09 0 d-------- C:\Users\Daniel\AppData\Roaming\ZoomBrowser EX
2008-04-30 16:41:24 0 d-------- C:\Users\Daniel\AppData\Roaming\Apple Computer
2008-04-27 22:02:15 0 d-------- C:\Users\Daniel\AppData\Roaming\WinRAR
2008-04-25 22:12:16 0 d-------- C:\Users\Daniel\AppData\Roaming\Malwarebytes
2008-04-21 22:03:00 0 d-------- C:\Users\Daniel\AppData\Roaming\BSplayer Pro
2008-04-21 20:40:53 0 d-------- C:\Users\Daniel\AppData\Roaming\vlc
2008-04-21 18:59:59 0 d-------- C:\Users\Daniel\AppData\Roaming\CopyTrans
2008-04-19 15:22:44 0 d-------- C:\Users\Daniel\AppData\Roaming\Adobe
2008-04-19 14:38:33 0 d-------- C:\Users\Daniel\AppData\Roaming\SiteAdvisor
2008-04-19 12:19:22 0 d-------- C:\Users\Daniel\AppData\Roaming\Mozilla
2008-04-19 12:11:23 0 d-------- C:\Users\Daniel\AppData\Roaming\Avanquest
2008-04-19 11:51:14 0 d-------- C:\Users\Daniel\AppData\Roaming\Media Player Classic
2008-04-19 11:17:30 0 d-------- C:\Users\Daniel\AppData\Roaming\Auslogics
2008-04-19 00:54:54 0 d-------- C:\Users\Daniel\AppData\Roaming\PC Tools
2008-04-18 16:27:59 0 d-------- C:\Users\Daniel\AppData\Roaming\Macromedia
2008-04-18 14:38:34 174 --ahs---- C:\Program Files\desktop.ini
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Sidebar
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Mail
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Calendar
2008-04-18 14:32:38 0 d-------- C:\Program Files\Movie Maker
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Photo Gallery
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Journal
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Collaboration
2008-04-18 14:32:36 0 d-------- C:\Program Files\Windows Defender
2008-04-18 12:19:26 0 d-------- C:\Users\Daniel\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/18/2008 11:38 PM]
"RtHDVCpl"="RtHDVCpl.exe" [10/25/2007 05:52 AM C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [08/28/2007 01:59 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [08/28/2007 01:59 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [08/28/2007 01:59 AM]
"ThreatFire"="E:\Program Files\ThreatFire\TFTray.exe" [04/25/2008 06:52 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 12:01 PM]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [11/21/2006 05:08 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="E:\Program Files\Google\Gmail Notifier\gnotify.exe" [07/16/2005 05:48 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [08/25/2007 05:57 AM]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"ISTray"="E:\Program Files\Spyware Doctor\pctsTray.exe" [12/10/2007 02:53 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [04/19/2008 10:18 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/18/2008 11:33 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"BM0733733a"=Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s

C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-05-12 00:56:49 ------------

#3 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:55 AM

Posted 27 May 2008 - 02:02 PM

Hello Cloud_D and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately and. If you are still having problems, then please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log. Please also post the problems you are having.

When posting your log, please make sure you post the HijackThis log as a reply and not as an attachment. If we do not hear back from you within a couple of days we will need to close your topic.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#4 Cloud_D

Cloud_D
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 27 May 2008 - 08:46 PM

Hi,

Thanks for the reply. My system is free from problems after a system restore although I'm not sure I got rid of the infection, so could you help me take a look? Thanks!

Deckard's System Scanner v20071014.68
Run by Daniel on 2008-05-28 09:36:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-28 09:36:42
Platform: Windows Vista Service Pack 1 (6.00.6001)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\wininit.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\services.exe
C:\Windows\System32\lsass.exe
C:\Windows\System32\lsm.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\winlogon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SLsvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\Windows\System32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\taskeng.exe
E:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Avanquest\Fix-It\mxtask.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Windows\System32\svchost.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
E:\Program Files\Avanquest\Fix-It\mxtask.exe
E:\Program Files\Spyware Doctor\pctsSvc.exe
E:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Windows\System32\svchost.exe
E:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SearchIndexer.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
E:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\microsoft shared\Windows Live\WLLoginProxy.exe
C:\Windows\System32\Macromed\Flash\FlashUtil9f.exe
E:\Users\Daniel\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ThreatFire] E:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] E:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "E:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [basicsmssmenu] "E:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Basics Service - Seagate Technology LLC - E:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - E:\Program Files\Avanquest\Fix-It\mxtask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: ThreatFire - PC Tools - E:\Program Files\ThreatFire\TFService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\System32\drivers\XAudio.exe


--
End of file - 10951 bytes

-- Files created between 2008-04-28 and 2008-05-28 -----------------------------

2008-05-25 03:49:44 0 d-------- C:\Program Files\InstallShield Installation Information
2008-05-25 03:49:12 0 d-------- C:\Users\All Users\Seagate
2008-05-25 03:47:40 0 d-------- C:\Windows\Downloaded Installations
2008-05-22 17:11:35 0 d-------- C:\Program Files\Windows Live Safety Center
2008-05-12 01:02:40 0 d-------- C:\Windows\RegCure
2008-05-12 00:53:14 368640 --a------ C:\Windows\system32\TwnLib4.dll <Not Verified; Pegasus Imaging Corporation; TwnLib4 - TwainPRO v4.0 - Utility Library>
2008-05-12 00:53:14 802816 --a------ C:\Windows\system32\imagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-05-12 00:53:14 258048 --a------ C:\Windows\system32\imagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-05-12 00:53:13 1757184 --a------ C:\Windows\system32\imagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-05-11 11:10:11 0 d-------- C:\VundoFix Backups
2008-05-10 09:57:26 0 d-------- C:\Program Files\MSXML 4.0
2008-05-09 12:28:37 0 d-------- C:\Program Files\NeroInstall.bak
2008-05-09 12:11:32 0 d-------- C:\Users\All Users\Nero
2008-05-09 12:11:32 0 d-------- C:\Program Files\Nero
2008-05-09 12:11:31 0 d-------- C:\Program Files\Common Files\Nero
2008-05-01 21:10:48 0 d-------- C:\Users\All Users\ZoomBrowser


-- Find3M Report ---------------------------------------------------------------

2008-05-28 01:17:57 0 d-------- C:\Users\Daniel\AppData\Roaming\uTorrent
2008-05-23 11:04:52 0 d-------- C:\Program Files\SiteAdvisor
2008-05-20 13:47:11 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-18 12:08:29 0 d-------- C:\Users\Daniel\AppData\Roaming\Mozilla
2008-05-14 10:55:20 0 d-------- C:\Program Files\Windows Mail
2008-05-09 12:18:50 0 d-------- C:\Users\Daniel\AppData\Roaming\Nero
2008-05-09 12:11:31 0 d-------- C:\Program Files\Common Files
2008-05-06 22:05:09 0 d-------- C:\Users\Daniel\AppData\Roaming\ZoomBrowser EX
2008-05-01 21:37:52 0 d-------- C:\Program Files\Canon
2008-05-01 21:07:53 0 d-------- C:\Program Files\Common Files\Canon
2008-04-30 16:41:24 0 d-------- C:\Users\Daniel\AppData\Roaming\Apple Computer
2008-04-27 22:02:15 0 d-------- C:\Users\Daniel\AppData\Roaming\WinRAR
2008-04-27 16:58:00 0 d-------- C:\Program Files\Java
2008-04-27 16:56:44 0 d-------- C:\Program Files\Common Files\Java
2008-04-25 22:12:16 0 d-------- C:\Users\Daniel\AppData\Roaming\Malwarebytes
2008-04-21 22:03:00 0 d-------- C:\Users\Daniel\AppData\Roaming\BSplayer Pro
2008-04-21 20:55:29 0 d-------- C:\Program Files\AviSynth 2.5
2008-04-21 20:40:53 0 d-------- C:\Users\Daniel\AppData\Roaming\vlc
2008-04-21 18:59:59 0 d-------- C:\Users\Daniel\AppData\Roaming\CopyTrans
2008-04-19 15:22:44 0 d-------- C:\Users\Daniel\AppData\Roaming\Adobe
2008-04-19 15:21:03 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-19 14:38:33 0 d-------- C:\Users\Daniel\AppData\Roaming\SiteAdvisor
2008-04-19 12:11:23 0 d-------- C:\Users\Daniel\AppData\Roaming\Avanquest
2008-04-19 12:06:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-19 11:51:14 0 d-------- C:\Users\Daniel\AppData\Roaming\Media Player Classic
2008-04-19 11:43:44 0 d-------- C:\Program Files\McAfee
2008-04-19 11:17:30 0 d-------- C:\Users\Daniel\AppData\Roaming\Auslogics
2008-04-19 10:39:34 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-19 01:58:53 0 d-------- C:\Program Files\Common Files\McAfee
2008-04-19 01:58:32 0 d-------- C:\Program Files\McAfee.com
2008-04-19 00:54:54 0 d-------- C:\Users\Daniel\AppData\Roaming\PC Tools
2008-04-18 16:27:59 0 d-------- C:\Users\Daniel\AppData\Roaming\Macromedia
2008-04-18 16:18:54 0 d-------- C:\Program Files\uTorrent
2008-04-18 15:59:27 0 d-------- C:\Program Files\iPod
2008-04-18 15:57:45 0 d-------- C:\Program Files\Bonjour
2008-04-18 15:57:34 0 d-------- C:\Program Files\QuickTime
2008-04-18 15:56:27 0 d-------- C:\Program Files\Apple Software Update
2008-04-18 15:55:36 0 d-------- C:\Program Files\Common Files\Apple
2008-04-18 15:45:53 0 d-------- C:\Program Files\Microsoft Works
2008-04-18 15:45:12 0 d-------- C:\Program Files\Microsoft.NET
2008-04-18 15:37:50 0 d-------- C:\Program Files\Messenger Plus! Live
2008-04-18 15:35:17 0 d-------- C:\Program Files\Windows Live
2008-04-18 15:35:01 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-18 15:14:41 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2008-04-18 15:10:15 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-04-18 14:38:34 174 --ahs---- C:\Program Files\desktop.ini
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Sidebar
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Calendar
2008-04-18 14:32:38 0 d-------- C:\Program Files\Movie Maker
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Photo Gallery
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Journal
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Collaboration
2008-04-18 14:32:36 0 d-------- C:\Program Files\Windows Defender
2008-04-18 14:01:58 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-18 13:27:11 0 d-------- C:\Program Files\CONEXANT
2008-04-18 12:19:26 0 d-------- C:\Users\Daniel\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/18/2008 11:38 PM]
"RtHDVCpl"="RtHDVCpl.exe" [10/25/2007 05:52 AM C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [08/28/2007 01:59 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [08/28/2007 01:59 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [08/28/2007 01:59 AM]
"ThreatFire"="E:\Program Files\ThreatFire\TFTray.exe" [04/25/2008 06:52 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 12:01 PM]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [11/21/2006 05:08 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="E:\Program Files\Google\Gmail Notifier\gnotify.exe" [07/16/2005 05:48 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [08/25/2007 05:57 AM]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"ISTray"="E:\Program Files\Spyware Doctor\pctsTray.exe" [12/10/2007 02:53 PM]
"basicsmssmenu"="E:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [10/09/2007 04:21 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [04/19/2008 10:18 AM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [01/18/2008 11:33 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/18/2008 11:33 PM]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/18/2008 11:33 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"BM0733733a"=Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s

C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f19b452b-29b9-11dd-a4d5-0019212c5eb4}]
AutoRun\command- L:\Launch.exe /run


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-05-28 09:37:33 ------------

#5 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:55 AM

Posted 28 May 2008 - 02:05 PM

Hi Cloud_D,

Please note that comments are made in green, links are in red, important things are outlined by using the blue color and the numbered steps I would like you to follow are outlined with orange.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case uTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Step #1

Run HijackThis, press Scan, and put a check mark next to all these entries:

O4 - HKUS\S-1-5-18\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'Default user')


Close all other windows and browsers, and press the Fix Checked button.

Step #2

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step #3

Please download NoLop to your Desktop
  • First close any other programs you have running as this will require a reboot.
  • Double click NoLop.exe to run it.
  • Now click the button labelled "Search and Destroy".
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK.
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish.
If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.

Please post the contents of C:\NoLop.log along with a fresh log from HijackThis. Let me know if you had any problems during the fix.

Step #4

Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Messenger Plus!

Messenger Plus comes with Adware, which is what caused you to have the Lop infection. If you really need it, you may install it again after the cleaning process - but do make sure you remove the Lop option that you are faced with during the install process :thumbsup: .

Step #5

I want you to back up the registry, because we are going to make a few changes to it.
To export the registry to a ".reg" file, please follow these steps: (for a complete tutorial, you can also click here).

Backup your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it (with the installer)
    http://aumha.org/freeware/freeware.php
  • Use the setup program to install ERUNT on your computer
  • Click Erunt.exe to backup your registry to the folder of your choice.
Now a secure backup copy has been made, copy the entire contents inside the CODE box below into Notepad.

Windows Registry Editor Version 5.00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"BM0733733a"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f19b452b-29b9-11dd-a4d5-0019212c5eb4}]

Then click File > Save and save as fix.reg (save as type: All files) to the Desktop.
Go to the Desktop and double-click fix.reg. When prompted to merge its contents to the registry, click the Yes button. You may remove the file afterwards.

Step #6

Please open Malwarebytes' Antimalware
  • Make sure you check for an update prior to running it.
  • Now please select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step #7

Can you please have a look if the extra.txt file created by DSS is present in the C:\Deckard\System Scanner folder? I really want that log.
If you cannot find the log, then please do the following:
  • Close all programs and/or windows so that you have nothing open and are at your Desktop.
  • Click on Start, then click on Run.
  • In the Open: field copy and paste the entire contents inside the CODE box below and press the OK button.

    "%userprofile%\Desktop\dss.exe" /config

    This will open up DSS configuration.
  • Click on Check All.
  • Click Scan.
    DSS will now run again.
  • When finished, please post back both logs that open in Notepad: main.txt and extra.txt.
Step #8

Please post back with the following:
  • C:\NoLop.log
  • Malwarebytes' Antimalware log
  • extra.txt from DSS
  • Fresh HijackThis log
Thanks!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#6 Cloud_D

Cloud_D
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 28 May 2008 - 09:36 PM

Hi,

For step 3 using NoLop, I encountered this error when I click search and destroy:

Run time error '75':
Path/File access error

I haven't done anything from step 3 onwards. Please advise. Thank you.

#7 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:55 AM

Posted 29 May 2008 - 12:15 AM

hi Cloud_D,

sorry thats my fault. Since you are on Vista, you will need to right click the file and chose "run as administrator." That should allow you to run the programme just fine. You will find that you need to do that for other programmes too. Sorry about that.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#8 Cloud_D

Cloud_D
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 29 May 2008 - 01:09 AM

Hi,

I didn't uninstall Messenger Plus as NoLog showed I wasn't infected. Is it ok? Otherwise, here's the logs.

1) NoLop! Log by Skate_Punk_21

Fix running from: E:\Users\Daniel\Desktop
[5/29/2008]
[1:18:30 PM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---


2) Malwarebytes' Anti-Malware 1.12
Database version: 797

Scan type: Quick Scan
Objects scanned: 33955
Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Daniel\Local Settings\Temporary Internet Files\Content.IE5\1ZLMYZUJ\idkfa[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Daniel\Local Settings\Temporary Internet Files\Content.IE5\1ZLMYZUJ\kriv[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Daniel\Local Settings\Temporary Internet Files\Content.IE5\91CCO8QK\kriv[1] (Trojan.Vundo) -> Quarantined and deleted successfully.


3) Deckard's System Scanner v20071014.68
Run by Daniel on 2008-05-29 14:03:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
9: 2008-05-29 04:35:19 UTC - RP71 - Scheduled Checkpoint
8: 2008-05-28 03:46:52 UTC - RP70 - Windows Update
7: 2008-05-27 03:41:54 UTC - RP69 - Scheduled Checkpoint
6: 2008-05-26 06:56:29 UTC - RP68 - Scheduled Checkpoint
5: 2008-05-24 19:59:59 UTC - RP67 - Windows Backup


-- First Restore Point --
1: 2008-05-21 12:25:43 UTC - RP61 - Scheduled Checkpoint


Performed disk cleanup.



-- HijackThis (run as Daniel.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:30 PM, on 5/29/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
E:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
E:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
E:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
E:\Program Files\Spyware Doctor\pctsSvc.exe
E:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Windows\system32\svchost.exe
E:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\conime.exe
E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
E:\Users\Daniel\Desktop\dss.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\DllHost.exe
C:\HJT\Daniel.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ThreatFire] E:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] E:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "E:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [basicsmssmenu] "E:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Basics Service - Seagate Technology LLC - E:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - E:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: ThreatFire - PC Tools - E:\Program Files\ThreatFire\TFService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10110 bytes

-- HijackThis Fixed Entries (C:\HJT\backups\) ----------------------------------

backup-20080529-102717-660 O4 - HKUS\S-1-5-18\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'SYSTEM')
backup-20080529-102717-938 O4 - HKUS\.DEFAULT\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'Default user')

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\Windows\System32\svchost.exe (pid 1052)
2007-07-24 15:17:08 147456 --a------ C:\Program Files\Bonjour\mdnsNSP.dll <Not Verified; Apple Inc.; Bonjour>

C:\Windows\System32\svchost.exe (pid 1116)
2007-07-24 15:17:08 147456 --a------ C:\Program Files\Bonjour\mdnsNSP.dll <Not Verified; Apple Inc.; Bonjour>

C:\Windows\System32\svchost.exe (pid 1328)
2007-07-24 15:17:08 147456 --a------ C:\Program Files\Bonjour\mdnsNSP.dll <Not Verified; Apple Inc.; Bonjour>

C:\Windows\explorer.exe (pid 228)
2007-08-31 13:57:42 28672 --a------ E:\Program Files\Avanquest\Fix-It\WinHook.dll <Not Verified; Avanquest Software USA, Inc.; Fix-It Utilities>
2007-08-31 14:06:20 36864 --a------ E:\Program Files\Avanquest\Fix-It\MXCtxMnu.dll <Not Verified; Avanquest Software USA, Inc.; Fix-It Utilities>
2007-08-31 13:46:18 45056 --a------ E:\Program Files\Avanquest\Fix-It\mxdlgsup.dll <Not Verified; Avanquest Software USA, Inc.; Fix-It Utilities>
2007-07-24 15:17:08 147456 --a------ C:\Program Files\Bonjour\mdnsNSP.dll <Not Verified; Apple Inc.; Bonjour>

C:\Windows\System32\rundll32.exe (pid 2300)
2007-08-31 13:57:42 28672 --a------ E:\Program Files\Avanquest\Fix-It\WinHook.dll <Not Verified; Avanquest Software USA, Inc.; Fix-It Utilities>


-- Scheduled Tasks -------------------------------------------------------------

2008-05-29 13:42:32 424 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{54C04306-396D-428A-A04D-8B1A362526F2}.job
2008-05-29 13:37:59 440 --a------ C:\Windows\Tasks\RegCure Program Check.job
2008-05-01 03:24:53 374 --a------ C:\Windows\Tasks\RegCure.job
2008-05-01 01:00:07 334 --a------ C:\Windows\Tasks\McQcTask.job
2008-04-19 10:12:11 342 --a------ C:\Windows\Tasks\McDefragTask.job


-- Files created between 2008-04-29 and 2008-05-29 -----------------------------

2008-05-29 13:18:30 106 --a------ C:\delete.bat
2008-05-29 10:18:08 0 d-------- C:\HJT
2008-05-28 20:43:40 0 d-------- C:\Program Files\Yahoo!
2008-05-25 03:49:44 0 d-------- C:\Program Files\InstallShield Installation Information
2008-05-25 03:49:12 0 d-------- C:\Users\All Users\Seagate
2008-05-25 03:47:40 0 d-------- C:\Windows\Downloaded Installations
2008-05-22 17:11:35 0 d-------- C:\Program Files\Windows Live Safety Center
2008-05-12 01:02:40 0 d-------- C:\Windows\RegCure
2008-05-12 00:53:14 368640 --a------ C:\Windows\system32\TwnLib4.dll <Not Verified; Pegasus Imaging Corporation; TwnLib4 - TwainPRO v4.0 - Utility Library>
2008-05-12 00:53:14 802816 --a------ C:\Windows\system32\imagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-05-12 00:53:14 258048 --a------ C:\Windows\system32\imagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-05-12 00:53:13 1757184 --a------ C:\Windows\system32\imagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-05-11 11:10:11 0 d-------- C:\VundoFix Backups
2008-05-10 09:57:26 0 d-------- C:\Program Files\MSXML 4.0
2008-05-09 12:28:37 0 d-------- C:\Program Files\NeroInstall.bak
2008-05-09 12:11:32 0 d-------- C:\Users\All Users\Nero
2008-05-09 12:11:32 0 d-------- C:\Program Files\Nero
2008-05-09 12:11:31 0 d-------- C:\Program Files\Common Files\Nero
2008-05-01 21:10:48 0 d-------- C:\Users\All Users\ZoomBrowser


-- Find3M Report ---------------------------------------------------------------

2008-05-29 13:42:02 0 d-------- C:\Users\Daniel\AppData\Roaming\uTorrent
2008-05-28 21:01:22 0 d-------- C:\Users\Daniel\AppData\Roaming\SiteAdvisor
2008-05-23 11:04:52 0 d-------- C:\Program Files\SiteAdvisor
2008-05-20 13:47:11 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-18 12:08:29 0 d-------- C:\Users\Daniel\AppData\Roaming\Mozilla
2008-05-14 10:55:20 0 d-------- C:\Program Files\Windows Mail
2008-05-09 12:18:50 0 d-------- C:\Users\Daniel\AppData\Roaming\Nero
2008-05-09 12:11:31 0 d-------- C:\Program Files\Common Files
2008-05-06 22:05:09 0 d-------- C:\Users\Daniel\AppData\Roaming\ZoomBrowser EX
2008-05-01 21:37:52 0 d-------- C:\Program Files\Canon
2008-05-01 21:07:53 0 d-------- C:\Program Files\Common Files\Canon
2008-04-30 16:41:24 0 d-------- C:\Users\Daniel\AppData\Roaming\Apple Computer
2008-04-27 22:02:15 0 d-------- C:\Users\Daniel\AppData\Roaming\WinRAR
2008-04-27 16:58:00 0 d-------- C:\Program Files\Java
2008-04-27 16:56:44 0 d-------- C:\Program Files\Common Files\Java
2008-04-25 22:12:16 0 d-------- C:\Users\Daniel\AppData\Roaming\Malwarebytes
2008-04-21 22:03:00 0 d-------- C:\Users\Daniel\AppData\Roaming\BSplayer Pro
2008-04-21 20:55:29 0 d-------- C:\Program Files\AviSynth 2.5
2008-04-21 20:40:53 0 d-------- C:\Users\Daniel\AppData\Roaming\vlc
2008-04-21 18:59:59 0 d-------- C:\Users\Daniel\AppData\Roaming\CopyTrans
2008-04-19 15:22:44 0 d-------- C:\Users\Daniel\AppData\Roaming\Adobe
2008-04-19 15:21:03 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-19 12:11:23 0 d-------- C:\Users\Daniel\AppData\Roaming\Avanquest
2008-04-19 12:06:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-19 11:51:14 0 d-------- C:\Users\Daniel\AppData\Roaming\Media Player Classic
2008-04-19 11:43:44 0 d-------- C:\Program Files\McAfee
2008-04-19 11:17:30 0 d-------- C:\Users\Daniel\AppData\Roaming\Auslogics
2008-04-19 10:39:34 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-19 01:58:53 0 d-------- C:\Program Files\Common Files\McAfee
2008-04-19 01:58:32 0 d-------- C:\Program Files\McAfee.com
2008-04-19 00:54:54 0 d-------- C:\Users\Daniel\AppData\Roaming\PC Tools
2008-04-18 16:27:59 0 d-------- C:\Users\Daniel\AppData\Roaming\Macromedia
2008-04-18 16:18:54 0 d-------- C:\Program Files\uTorrent
2008-04-18 15:59:27 0 d-------- C:\Program Files\iPod
2008-04-18 15:57:45 0 d-------- C:\Program Files\Bonjour
2008-04-18 15:57:34 0 d-------- C:\Program Files\QuickTime
2008-04-18 15:56:27 0 d-------- C:\Program Files\Apple Software Update
2008-04-18 15:55:36 0 d-------- C:\Program Files\Common Files\Apple
2008-04-18 15:45:53 0 d-------- C:\Program Files\Microsoft Works
2008-04-18 15:45:12 0 d-------- C:\Program Files\Microsoft.NET
2008-04-18 15:37:50 0 d-------- C:\Program Files\Messenger Plus! Live
2008-04-18 15:35:17 0 d-------- C:\Program Files\Windows Live
2008-04-18 15:35:01 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-18 15:14:41 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2008-04-18 15:10:15 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-04-18 14:38:34 174 --ahs---- C:\Program Files\desktop.ini
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Sidebar
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Calendar
2008-04-18 14:32:38 0 d-------- C:\Program Files\Movie Maker
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Photo Gallery
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Journal
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Collaboration
2008-04-18 14:32:36 0 d-------- C:\Program Files\Windows Defender
2008-04-18 14:01:58 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-18 13:27:11 0 d-------- C:\Program Files\CONEXANT
2008-04-18 12:19:26 0 d-------- C:\Users\Daniel\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/18/2008 11:38 PM]
"RtHDVCpl"="RtHDVCpl.exe" [10/25/2007 05:52 AM C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [08/28/2007 01:59 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [08/28/2007 01:59 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [08/28/2007 01:59 AM]
"ThreatFire"="E:\Program Files\ThreatFire\TFTray.exe" [04/25/2008 06:52 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 12:01 PM]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [11/21/2006 05:08 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="E:\Program Files\Google\Gmail Notifier\gnotify.exe" [07/16/2005 05:48 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [08/25/2007 05:57 AM]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"ISTray"="E:\Program Files\Spyware Doctor\pctsTray.exe" [12/10/2007 02:53 PM]
"basicsmssmenu"="E:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [10/09/2007 04:21 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [04/19/2008 10:18 AM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [01/18/2008 11:33 PM]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/18/2008 11:33 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/18/2008 11:33 PM]

C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-05-29 14:05:35 ------------


4) Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 3.40GHz
Percentage of Memory in Use: 47%
Physical Memory (total/avail): 2046.71 MiB / 1081.04 MiB
Pagefile Memory (total/avail): 4342.7 MiB / 3037.58 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.12 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 44.81 GiB total, 21.45 GiB free.
D: is Fixed (NTFS) - 68.38 GiB total, 16.52 GiB free.
E: is Fixed (NTFS) - 30.1 GiB total, 18.11 GiB free.
F: is Fixed (FAT32) - 5.75 GiB total, 0.95 GiB free.
G: is CDROM (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG HD160JJ/P ATA Device - 149.05 GiB - 4 partitions
\PARTITION0 (bootable) - Installable File System - 44.81 GiB - C:
\PARTITION1 - Unknown - 5.76 GiB - F:
\PARTITION2 - Extended w/Extended Int 13 - 98.48 GiB - D: - E:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

AV: ThreatFire v3.5.0.21 (PC Tools)
AS: Spyware Doctor v5.5.0.178 (PC Tools)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: ThreatFire v3.5.0.21 (PC Tools)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Daniel\AppData\Roaming
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DANIEL-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Daniel
LOCALAPPDATA=C:\Users\Daniel\AppData\Local
LOGONSERVER=\\DANIEL-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0604
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Daniel\AppData\Local\Temp
TMP=C:\Users\Daniel\AppData\Local\Temp
USERDOMAIN=Daniel-PC
USERNAME=Daniel
USERPROFILE=C:\Users\Daniel
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Daniel


-- Add/Remove Programs ---------------------------------------------------------

µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AusLogics Disk Defrag --> "E:\Program Files\Auslogics\AusLogics Disk Defrag\unins000.exe"
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
BS.Player PRO --> "E:\Program Files\Webteh\BSplayerPro\uninstall.exe"
Canon G.726 WMP-Decoder --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "E:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "E:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "E:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon Utilities CameraWindow --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowLauncher\Uninst.ini"
Canon Utilities CameraWindow DC --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDC\Uninst.ini"
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "E:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities MyCamera --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\MyCamera\Uninst.ini"
Canon Utilities MyCamera DC --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\MyCameraDC\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "E:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities RemoteCapture DC --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureDC\Uninst.ini"
Canon Utilities RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "E:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "E:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
Canon ZoomBrowser EX Memory Card Utility --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX MCU\Uninst.ini"
Combined Community Codec Pack 2008-01-24 --> "E:\Program Files\Combined Community Codec Pack\unins000.exe"
Drive Manager --> "C:\Program Files\InstallShield Installation Information\{48B0F38D-1913-44F3-99AA-D4C55A2B038E}\setup.exe" -runfromtemp -l0x0409 -removeonly
Drive Manager --> MsiExec.exe /I{48B0F38D-1913-44F3-99AA-D4C55A2B038E}
Fix-It Utilities 8 Professional --> MsiExec.exe /I{5158974E-2D28-4018-9335-7694C2974746}
Google Gmail Notifier --> "E:\Program Files\Google\Gmail Notifier\UninstallGmail.exe"
HijackThis 2.0.2 --> "C:\HJT\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Kaspersky Online Scanner --> C:\Windows\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Malwarebytes' Anti-Malware --> "E:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (3.0) --> E:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 8 Micro v8.3.2.1 --> "E:\Program Files\Nero\unins000.exe"
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
RegCure --> "C:\Windows\RegCure\uninstall.exe" "/U:E:\Program Files\RegCure\Uninstall\uninstall.xml"
Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\UIU32m.exe -U -ITrx200Cz.INF
Spyware Doctor 5.5 --> E:\Program Files\Spyware Doctor\unins000.exe /LOG
ThreatFire 3.0 --> "E:\Program Files\ThreatFire\unins000.exe"
Update for Office 2007 (KB946691) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
VideoLAN VLC media player 0.8.6f --> E:\Program Files\VideoLAN\VLC\uninstall.exe
Videora iPod touch Converter 3.07 --> E:\Program Files\Red Kawa\Video Converter 3\uninstaller.exe
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live OneCare safety scanner --> "C:\Program Files\Windows Live Safety Center\UnInstall.exe"
Windows Live OneCare safety scanner --> MsiExec.exe /X{FE0646A7-19D0-41B4-A2BB-2C35D644270D}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
WinRAR --> "C:\Windows\WinRAR\uninstall.exe" "/U:E:\Program Files\WinRAR\Uninstall\uninstall.xml"


-- Application Event Log -------------------------------------------------------

Event Record #/Type4321 / Success
Event Submitted/Written: 05/29/2008 01:38:23 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type4320 / Success
Event Submitted/Written: 05/29/2008 01:38:22 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type4318 / Success
Event Submitted/Written: 05/29/2008 01:38:00 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type4298 / Success
Event Submitted/Written: 05/29/2008 10:24:42 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type4293 / Success
Event Submitted/Written: 05/29/2008 10:23:49 AM
Event ID/Source: 5617 / WinMgmt
Event Description:




-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type27888 / Error
Event Submitted/Written: 05/29/2008 01:37:54 PM
Event ID/Source: 15016 / HTTP
Event Description:
\Device\Http\ReqQueueKerberos

Event Record #/Type27880 / Error
Event Submitted/Written: 05/29/2008 01:37:37 PM
Event ID/Source: 2 / Microsoft-Windows-Kernel-Processor-Power
Event Description:
1

Event Record #/Type27878 / Error
Event Submitted/Written: 05/29/2008 01:37:37 PM
Event ID/Source: 2 / Microsoft-Windows-Kernel-Processor-Power
Event Description:
0

Event Record #/Type27745 / Warning
Event Submitted/Written: 05/29/2008 10:23:58 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type27742 / Error
Event Submitted/Written: 05/29/2008 10:23:12 AM
Event ID/Source: 15016 / HTTP
Event Description:
\Device\Http\ReqQueueKerberos



-- End of Deckard's System Scanner: finished at 2008-05-29 14:05:35 ------------

#9 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:55 AM

Posted 29 May 2008 - 04:09 PM

Hi Cloud_D,

I didn't uninstall Messenger Plus as NoLog showed I wasn't infected. Is it ok? Otherwise, here's the logs.

If it was me, I atleast would uninstall it and then reinstall it making sure that the Lop option is not enabled.

---Listing AppData sub directories---
Was that all that was listed there? Could be, just making sure.

Do you have McAfee running?

McAfee SecurityCenter
ThreatFire v3.5.0.21

Indicates you are running two antivirus programmes.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both software products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either <av one> or <av two> - if you remove Mcafee please understand you will have to install a new Firewall as the mcafee one will have been uninstalled also.

Additionally, your running processes indicate that the McAfee firewall is running, but it is not showing in your logs as activated.

The Windows firewall is better than nothing, but doesn't monitor outgoing packets very well. A third party firewall will bug you with a lot of deny or allow questions for a while, but you should be able to tell it to remember your decision so after about a week or so you will rarely be asked for a decision. It's up to you, I just think you should really give it a try. For a bit more on the firewall thing, have a read here: http://www.us-cert.gov/cas/tips/ST04-004.html.

Step #1

* Clean your Cache and Cookies in InternetExplorer:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Step #2

Please download the OTCleanIt by OldTimer.
  • Please double-click on "OTCleanIt.exe"
  • Navigate to the following icon and click it: Posted Image
  • OTCleanIt might ask you to reboot. If it does so, please let it do so.
Note: after reboot, OTCleanIt and your other helper tools downloaded while cleaning your Pc, will be removed. So its oke if it is not there anymore ;) .

Step #3

If you are having problems running the F-Secure Onlinescan, please try to run their Beta Version
(You need to use InternetExplorer or enable IEView in Firefox)
  • Follow the Instruction here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Step #4

Please download the following:
  • HJTScanlist.zip
  • Unzip it to your desktop
  • Windows Vista: Rightmouse Click onto the file hjtscanlist.bat > chose (run as an administrator),
  • Windows Vista: "V"
  • Chose selection "1" > [Enter]
  • Notepad will open, copy&paste the contents of this new text file to your thread
Step #5

Please post back with the following:
  • The F-Secure scan
  • A fresh HijackThis log
  • HJTScanlist log
Thanks!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#10 Cloud_D

Cloud_D
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 30 May 2008 - 12:42 AM

Hi,

Thanks for the help.

1) Scanning Report
Friday, May 30, 2008 11:53:44 - 13:32:11
Computer name: DANIEL-PC
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ E:\ F:\


--------------------------------------------------------------------------------

Result: 2 malware found
Client-P2P.Win32.Share (spyware)
System
Tracking Cookie (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 48691
System: 3735
Not scanned: 39
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 2
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\MCAFEE_XCLNYR0B2FDLVVJ
C:\WINDOWS\TEMP\MCMSC_H3WFWW4XZCZ9MTV
C:\WINDOWS\TEMP\MCMSC_NJKF0V2TTUQ6XH6
C:\WINDOWS\TEMP\MCMSC_RNEC0ADOIIQEZXZ
C:\WINDOWS\TEMP\MCMSC_Y3IEWZ7TX91G4KY
C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{A52D7286-EF0F-4DDF-9E35-2D15B3210C81}.BIN
C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\7781B9F6EB180BEF873B3515B2662E7C_728ED5B3-1627-4752-9AB3-AAEA5765B082
C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\7781B9F6EB180BEF873B3515B2662E7C_728ED5B3-1627-4752-9AB3-AAEA5765B082
C:\BOOT\BCD
D:\SYSTEM VOLUME INFORMATION\{21D0A777-2D26-11DD-A0D2-0019212C5EB4}{3808876B-C176-4E48-B7AE-04046E6CC752}
D:\SYSTEM VOLUME INFORMATION\{3808876B-C176-4E48-B7AE-04046E6CC752}
D:\SYSTEM VOLUME INFORMATION\{5DE5A537-2C55-11DD-BBD6-0019212C5EB4}{3808876B-C176-4E48-B7AE-04046E6CC752}
D:\SYSTEM VOLUME INFORMATION\{7C1B9BC2-2AC3-11DD-BE1A-0019212C5EB4}{3808876B-C176-4E48-B7AE-04046E6CC752}
D:\SYSTEM VOLUME INFORMATION\{E520139C-2B96-11DD-9F1B-0019212C5EB4}{3808876B-C176-4E48-B7AE-04046E6CC752}
D:\SYSTEM VOLUME INFORMATION\{F19B454B-29B9-11DD-A4D5-0019212C5EB4}{3808876B-C176-4E48-B7AE-04046E6CC752}
E:\SYSTEM VOLUME INFORMATION\{21D0A778-2D26-11DD-A0D2-0019212C5EB4}{3808876B-C176-4E48-B7AE-04046E6CC752}
E:\SYSTEM VOLUME INFORMATION\{3808876B-C176-4E48-B7AE-04046E6CC752}
E:\SYSTEM VOLUME INFORMATION\{5DE5A538-2C55-11DD-BBD6-0019212C5EB4}{3808876B-C176-4E48-B7AE-04046E6CC752}
E:\SYSTEM VOLUME INFORMATION\{7C1B9BC3-2AC3-11DD-BE1A-0019212C5EB4}{3808876B-C176-4E48-B7AE-04046E6CC752}
E:\SYSTEM VOLUME INFORMATION\{E520139D-2B96-11DD-9F1B-0019212C5EB4}{3808876B-C176-4E48-B7AE-04046E6CC752}
E:\SYSTEM VOLUME INFORMATION\{F19B454C-29B9-11DD-A4D5-0019212C5EB4}{3808876B-C176-4E48-B7AE-04046E6CC752}
E:\EB69B4286722088DE93B273E\SPMSG.DLL
E:\EB69B4286722088DE93B273E\SPUNINST.EXE

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-05-30
F-Secure AVP: 7.0.171, 2008-05-30
F-Secure Pegasus: 1.20.0, 2008-04-15
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

2) Deckard's System Scanner v20071014.68
Run by Daniel on 2008-05-30 13:35:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
9: 2008-05-29 04:35:19 UTC - RP71 - Scheduled Checkpoint
8: 2008-05-28 03:46:52 UTC - RP70 - Windows Update
7: 2008-05-27 03:41:54 UTC - RP69 - Scheduled Checkpoint
6: 2008-05-26 06:56:29 UTC - RP68 - Scheduled Checkpoint
5: 2008-05-24 19:59:59 UTC - RP67 - Windows Backup


-- First Restore Point --
1: 2008-05-21 12:25:43 UTC - RP61 - Scheduled Checkpoint


Performed disk cleanup.



-- HijackThis (run as Daniel.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:15 PM, on 5/30/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\winlogon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Windows\system32\taskeng.exe
E:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Windows\ehome\ehmsas.exe
E:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
E:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
E:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\system32\svchost.exe
E:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\Downloaded Program Files\gatelauncher.exe
C:\Users\Daniel\AppData\Local\Temp\fsgk32.exe
C:\Users\Daniel\AppData\Local\Temp\fssm32.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
E:\Users\Daniel\Desktop\dss.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe
C:\HJT\Daniel.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] E:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "E:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [basicsmssmenu] "E:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Basics Service - Seagate Technology LLC - E:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - E:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: ThreatFire - PC Tools - E:\Program Files\ThreatFire\TFService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10372 bytes

-- HijackThis Fixed Entries (C:\HJT\backups\) ----------------------------------

backup-20080529-102717-660 O4 - HKUS\S-1-5-18\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'SYSTEM')
backup-20080529-102717-938 O4 - HKUS\.DEFAULT\..\Run: [BM0733733a] Rundll32.exe "C:\Users\Daniel\AppData\Local\Temp\gbryedmd.dll",s (User 'Default user')

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 F-Secure Standalone Minifilter - \??\c:\users\daniel\appdata\local\temp\low\onlinescanner\anti-virus\fsgk.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\Windows\System32\svchost.exe (pid 1000)
2007-07-24 15:17:08 147456 --a------ C:\Program Files\Bonjour\mdnsNSP.dll <Not Verified; Apple Inc.; Bonjour>

C:\Windows\System32\svchost.exe (pid 1036)
2007-07-24 15:17:08 147456 --a------ C:\Program Files\Bonjour\mdnsNSP.dll <Not Verified; Apple Inc.; Bonjour>

C:\Windows\explorer.exe (pid 1932)
2007-08-31 13:57:42 28672 --a------ E:\Program Files\Avanquest\Fix-It\WinHook.dll <Not Verified; Avanquest Software USA, Inc.; Fix-It Utilities>

C:\Windows\System32\rundll32.exe (pid 1916)
2007-08-31 13:57:42 28672 --a------ E:\Program Files\Avanquest\Fix-It\WinHook.dll <Not Verified; Avanquest Software USA, Inc.; Fix-It Utilities>

C:\Windows\System32\rundll32.exe (pid 3912)
2007-08-31 13:57:42 28672 --a------ E:\Program Files\Avanquest\Fix-It\WinHook.dll <Not Verified; Avanquest Software USA, Inc.; Fix-It Utilities>


-- Scheduled Tasks -------------------------------------------------------------

2008-05-30 11:45:23 440 --a------ C:\Windows\Tasks\RegCure Program Check.job
2008-05-29 22:39:08 424 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{54C04306-396D-428A-A04D-8B1A362526F2}.job
2008-05-01 03:24:53 374 --a------ C:\Windows\Tasks\RegCure.job
2008-05-01 01:00:07 334 --a------ C:\Windows\Tasks\McQcTask.job
2008-04-19 10:12:11 342 --a------ C:\Windows\Tasks\McDefragTask.job


-- Files created between 2008-04-30 and 2008-05-30 -----------------------------

2008-05-29 13:18:30 106 --a------ C:\delete.bat
2008-05-29 10:18:08 0 d-------- C:\HJT
2008-05-28 20:43:40 0 d-------- C:\Program Files\Yahoo!
2008-05-25 03:49:44 0 d-------- C:\Program Files\InstallShield Installation Information
2008-05-25 03:49:12 0 d-------- C:\Users\All Users\Seagate
2008-05-25 03:47:40 0 d-------- C:\Windows\Downloaded Installations
2008-05-22 17:11:35 0 d-------- C:\Program Files\Windows Live Safety Center
2008-05-12 01:02:40 0 d-------- C:\Windows\RegCure
2008-05-12 00:53:14 368640 --a------ C:\Windows\system32\TwnLib4.dll <Not Verified; Pegasus Imaging Corporation; TwnLib4 - TwainPRO v4.0 - Utility Library>
2008-05-12 00:53:14 802816 --a------ C:\Windows\system32\imagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-05-12 00:53:14 258048 --a------ C:\Windows\system32\imagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-05-12 00:53:13 1757184 --a------ C:\Windows\system32\imagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-05-10 09:57:26 0 d-------- C:\Program Files\MSXML 4.0
2008-05-09 12:28:37 0 d-------- C:\Program Files\NeroInstall.bak
2008-05-09 12:11:32 0 d-------- C:\Users\All Users\Nero
2008-05-09 12:11:32 0 d-------- C:\Program Files\Nero
2008-05-09 12:11:31 0 d-------- C:\Program Files\Common Files\Nero
2008-05-01 21:10:48 0 d-------- C:\Users\All Users\ZoomBrowser


-- Find3M Report ---------------------------------------------------------------

2008-05-30 11:46:21 0 d-------- C:\Users\Daniel\AppData\Roaming\uTorrent
2008-05-28 21:01:22 0 d-------- C:\Users\Daniel\AppData\Roaming\SiteAdvisor
2008-05-23 11:04:52 0 d-------- C:\Program Files\SiteAdvisor
2008-05-20 13:47:11 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-18 12:08:29 0 d-------- C:\Users\Daniel\AppData\Roaming\Mozilla
2008-05-14 10:55:20 0 d-------- C:\Program Files\Windows Mail
2008-05-09 12:18:50 0 d-------- C:\Users\Daniel\AppData\Roaming\Nero
2008-05-09 12:11:31 0 d-------- C:\Program Files\Common Files
2008-05-06 22:05:09 0 d-------- C:\Users\Daniel\AppData\Roaming\ZoomBrowser EX
2008-05-01 21:37:52 0 d-------- C:\Program Files\Canon
2008-05-01 21:07:53 0 d-------- C:\Program Files\Common Files\Canon
2008-04-30 16:41:24 0 d-------- C:\Users\Daniel\AppData\Roaming\Apple Computer
2008-04-27 22:02:15 0 d-------- C:\Users\Daniel\AppData\Roaming\WinRAR
2008-04-27 16:58:00 0 d-------- C:\Program Files\Java
2008-04-27 16:56:44 0 d-------- C:\Program Files\Common Files\Java
2008-04-25 22:12:16 0 d-------- C:\Users\Daniel\AppData\Roaming\Malwarebytes
2008-04-21 22:03:00 0 d-------- C:\Users\Daniel\AppData\Roaming\BSplayer Pro
2008-04-21 20:55:29 0 d-------- C:\Program Files\AviSynth 2.5
2008-04-21 20:40:53 0 d-------- C:\Users\Daniel\AppData\Roaming\vlc
2008-04-21 18:59:59 0 d-------- C:\Users\Daniel\AppData\Roaming\CopyTrans
2008-04-19 15:22:44 0 d-------- C:\Users\Daniel\AppData\Roaming\Adobe
2008-04-19 15:21:03 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-19 12:11:23 0 d-------- C:\Users\Daniel\AppData\Roaming\Avanquest
2008-04-19 12:06:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-19 11:51:14 0 d-------- C:\Users\Daniel\AppData\Roaming\Media Player Classic
2008-04-19 11:43:44 0 d-------- C:\Program Files\McAfee
2008-04-19 11:17:30 0 d-------- C:\Users\Daniel\AppData\Roaming\Auslogics
2008-04-19 10:39:34 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-19 01:58:53 0 d-------- C:\Program Files\Common Files\McAfee
2008-04-19 01:58:32 0 d-------- C:\Program Files\McAfee.com
2008-04-19 00:54:54 0 d-------- C:\Users\Daniel\AppData\Roaming\PC Tools
2008-04-18 16:27:59 0 d-------- C:\Users\Daniel\AppData\Roaming\Macromedia
2008-04-18 16:18:54 0 d-------- C:\Program Files\uTorrent
2008-04-18 15:59:27 0 d-------- C:\Program Files\iPod
2008-04-18 15:57:45 0 d-------- C:\Program Files\Bonjour
2008-04-18 15:57:34 0 d-------- C:\Program Files\QuickTime
2008-04-18 15:56:27 0 d-------- C:\Program Files\Apple Software Update
2008-04-18 15:55:36 0 d-------- C:\Program Files\Common Files\Apple
2008-04-18 15:45:53 0 d-------- C:\Program Files\Microsoft Works
2008-04-18 15:45:12 0 d-------- C:\Program Files\Microsoft.NET
2008-04-18 15:37:50 0 d-------- C:\Program Files\Messenger Plus! Live
2008-04-18 15:35:17 0 d-------- C:\Program Files\Windows Live
2008-04-18 15:35:01 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-18 15:14:41 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2008-04-18 15:10:15 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-04-18 14:38:34 174 --ahs---- C:\Program Files\desktop.ini
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Sidebar
2008-04-18 14:32:38 0 d-------- C:\Program Files\Windows Calendar
2008-04-18 14:32:38 0 d-------- C:\Program Files\Movie Maker
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Photo Gallery
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Journal
2008-04-18 14:32:37 0 d-------- C:\Program Files\Windows Collaboration
2008-04-18 14:32:36 0 d-------- C:\Program Files\Windows Defender
2008-04-18 14:01:58 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-18 13:27:11 0 d-------- C:\Program Files\CONEXANT
2008-04-18 12:19:26 0 d-------- C:\Users\Daniel\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/18/2008 11:38 PM]
"RtHDVCpl"="RtHDVCpl.exe" [10/25/2007 05:52 AM C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [08/28/2007 01:59 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [08/28/2007 01:59 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [08/28/2007 01:59 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 12:01 PM]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [11/21/2006 05:08 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="E:\Program Files\Google\Gmail Notifier\gnotify.exe" [07/16/2005 05:48 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [08/25/2007 05:57 AM]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"ISTray"="E:\Program Files\Spyware Doctor\pctsTray.exe" [12/10/2007 02:53 PM]
"basicsmssmenu"="E:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [10/09/2007 04:21 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [04/19/2008 10:18 AM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [01/18/2008 11:33 PM]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/18/2008 11:33 PM]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [10/18/2007 11:34 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/18/2008 11:33 PM]

C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

*Newly Created Service* - F-SECURE_STANDALONE_MINIFILTER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-05-30 13:38:48 ------------

3) Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 3.40GHz
Percentage of Memory in Use: 63%
Physical Memory (total/avail): 2046.71 MiB / 741.7 MiB
Pagefile Memory (total/avail): 4352.7 MiB / 2617.04 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1915.77 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 44.81 GiB total, 21.19 GiB free.
D: is Fixed (NTFS) - 68.38 GiB total, 16.52 GiB free.
E: is Fixed (NTFS) - 30.1 GiB total, 18.02 GiB free.
F: is Fixed (FAT32) - 5.75 GiB total, 0.95 GiB free.
G: is CDROM (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG HD160JJ/P ATA Device - 149.05 GiB - 4 partitions
\PARTITION0 (bootable) - Installable File System - 44.81 GiB - C:
\PARTITION1 - Unknown - 5.76 GiB - F:
\PARTITION2 - Extended w/Extended Int 13 - 98.48 GiB - D: - E:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

AV: ThreatFire v3.5.0.21 (PC Tools)
AS: Spyware Doctor v5.5.0.178 (PC Tools)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: ThreatFire v3.5.0.21 (PC Tools)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Daniel\AppData\Roaming
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DANIEL-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Daniel
LOCALAPPDATA=C:\Users\Daniel\AppData\Local
LOGONSERVER=\\DANIEL-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0604
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Daniel\AppData\Local\Temp
TMP=C:\Users\Daniel\AppData\Local\Temp
USERDOMAIN=Daniel-PC
USERNAME=Daniel
USERPROFILE=C:\Users\Daniel
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Daniel


-- Add/Remove Programs ---------------------------------------------------------

µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AusLogics Disk Defrag --> "E:\Program Files\Auslogics\AusLogics Disk Defrag\unins000.exe"
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
BS.Player PRO --> "E:\Program Files\Webteh\BSplayerPro\uninstall.exe"
Canon G.726 WMP-Decoder --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "E:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "E:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "E:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon Utilities CameraWindow --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowLauncher\Uninst.ini"
Canon Utilities CameraWindow DC --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDC\Uninst.ini"
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "E:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities MyCamera --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\MyCamera\Uninst.ini"
Canon Utilities MyCamera DC --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\MyCameraDC\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "E:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities RemoteCapture DC --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureDC\Uninst.ini"
Canon Utilities RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "E:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "E:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
Canon ZoomBrowser EX Memory Card Utility --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX MCU\Uninst.ini"
Combined Community Codec Pack 2008-01-24 --> "E:\Program Files\Combined Community Codec Pack\unins000.exe"
Drive Manager --> "C:\Program Files\InstallShield Installation Information\{48B0F38D-1913-44F3-99AA-D4C55A2B038E}\setup.exe" -runfromtemp -l0x0409 -removeonly
Drive Manager --> MsiExec.exe /I{48B0F38D-1913-44F3-99AA-D4C55A2B038E}
Fix-It Utilities 8 Professional --> MsiExec.exe /I{5158974E-2D28-4018-9335-7694C2974746}
Google Gmail Notifier --> "E:\Program Files\Google\Gmail Notifier\UninstallGmail.exe"
HijackThis 2.0.2 --> "C:\HJT\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Kaspersky Online Scanner --> C:\Windows\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (3.0) --> E:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 8 Micro v8.3.2.1 --> "E:\Program Files\Nero\unins000.exe"
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
RegCure --> "C:\Windows\RegCure\uninstall.exe" "/U:E:\Program Files\RegCure\Uninstall\uninstall.xml"
Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\UIU32m.exe -U -ITrx200Cz.INF
Spyware Doctor 5.5 --> E:\Program Files\Spyware Doctor\unins000.exe /LOG
Update for Office 2007 (KB946691) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
VideoLAN VLC media player 0.8.6f --> E:\Program Files\VideoLAN\VLC\uninstall.exe
Videora iPod touch Converter 3.07 --> E:\Program Files\Red Kawa\Video Converter 3\uninstaller.exe
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live OneCare safety scanner --> "C:\Program Files\Windows Live Safety Center\UnInstall.exe"
Windows Live OneCare safety scanner --> MsiExec.exe /X{FE0646A7-19D0-41B4-A2BB-2C35D644270D}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
WinRAR --> "C:\Windows\WinRAR\uninstall.exe" "/U:E:\Program Files\WinRAR\Uninstall\uninstall.xml"


-- Application Event Log -------------------------------------------------------

Event Record #/Type4505 / Success
Event Submitted/Written: 05/30/2008 11:46:55 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type4499 / Success
Event Submitted/Written: 05/30/2008 11:45:41 AM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type4498 / Success
Event Submitted/Written: 05/30/2008 11:45:39 AM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type4495 / Success
Event Submitted/Written: 05/30/2008 11:45:23 AM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type4478 / Success
Event Submitted/Written: 05/30/2008 11:43:05 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type28799 / Error
Event Submitted/Written: 05/30/2008 11:46:38 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
TfFsMon%%2

Event Record #/Type28798 / Error
Event Submitted/Written: 05/30/2008 11:46:38 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
TfNetMon%%2

Event Record #/Type28796 / Error
Event Submitted/Written: 05/30/2008 11:46:38 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
TfSysMon%%2

Event Record #/Type28795 / Error
Event Submitted/Written: 05/30/2008 11:46:38 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
TfSysMon%%2

Event Record #/Type28709 / Error
Event Submitted/Written: 05/30/2008 11:45:19 AM
Event ID/Source: 15016 / HTTP
Event Description:
\Device\Http\ReqQueueKerberos



-- End of Deckard's System Scanner: finished at 2008-05-30 13:38:48 ------------

4)
						$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 
						º									º 
									hjtscanlist v2.0			  
						º									º 
						$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 

Microsoft Windows [Version 6.0.6001]
 
 
C:

  05/30/2008 01:36 PM	 C:\HJT --------- 4096   
	   C:\hiberfil.sys ---------	
	   C:\pagefile.sys ---------	
  05/29/2008 01:19 PM	 C:\NoLop.log --------- 229   
  05/29/2008 01:18 PM	 C:\delete.bat --------- 106   
  05/29/2008 12:40 PM	 C:\System Volume Information --------- 8192   
  05/28/2008 08:43 PM	 C:\Program Files --------- 12288   
  05/25/2008 03:49 AM	 C:\ProgramData --------- 8192   
  05/25/2008 03:47 AM	 C:\Windows --------- 24576   
  05/20/2008 01:47 PM	 C:\temp --------- 0   
  05/11/2008 11:33 AM	 C:\VundoFix.txt --------- 298   
  05/09/2008 06:05 PM	 C:\Deckard --------- 0   
  04/28/2008 06:53 PM	 C:\Bug.txt --------- 4966   
  04/28/2008 06:53 PM	 C:\327882R2FWJFW --------- 0   
  04/27/2008 09:29 PM	 C:\_Backup --------- 0   
  04/25/2008 10:49 PM	 C:\ComboFix.txt --------- 18836   
  04/19/2008 12:13 PM	 C:\_Backup.RC --------- 0   
  04/19/2008 04:01 AM	 C:\BOOTSECT.BAK --------- 8192   
  04/19/2008 04:01 AM	 C:\Boot.ini.saved --------- 355   
  04/18/2008 03:42 PM	 C:\MSOCache --------- 0   
  04/18/2008 02:38 PM	 C:\Boot --------- 4096   
  04/18/2008 02:31 PM	 C:\PerfLogs --------- 0   
  04/18/2008 02:01 PM	 C:\bc4df1d51d879d6c5c156d0475 --------- 4096   
  04/18/2008 12:19 PM	 C:\$Recycle.Bin --------- 0   
  04/18/2008 12:19 PM	 C:\Users --------- 4096   
  04/18/2008 11:51 AM	 C:\Boot.BAK --------- 355   
  04/18/2008 11:22 AM	 C:\$WIN_NT$.~BT --------- 0   
  04/18/2008 11:22 AM	 C:\hp --------- 4096   
  01/18/2008 11:45 PM	 C:\bootmgr --------- 333203   
  11/02/2006 09:02 PM	 C:\Documents and Settings --------- 0   
  09/19/2006 05:43 AM	 C:\config.sys --------- 10   
  09/19/2006 05:43 AM	 C:\autoexec.bat --------- 24   
  09/18/2006 07:15 PM	 C:\Python22 --------- 0   
  09/18/2006 07:15 PM	 C:\system.sav --------- 0   
  11/23/2004 12:58 PM	 C:\MSDOS.SYS --------- 0   
  11/23/2004 12:58 PM	 C:\IO.SYS --------- 0   
  08/04/2004 07:00 PM	 C:\ntldr --------- 250032   
  08/04/2004 07:00 PM	 C:\NTDETECT.COM --------- 47564   
----------------------------------------

 
C:\Windows

  05/30/2008 11:45 AM	 C:\Windows\bootstat.dat --------- 67584   
  05/30/2008 11:40 AM	 C:\Windows\WindowsUpdate.log --------- 1989953   
  05/29/2008 01:37 PM	 C:\Windows\PFRO.log --------- 49214   
  05/25/2008 01:53 AM	 C:\Windows\setupact.log --------- 23406   
  05/11/2008 11:26 AM	 C:\Windows\ntbtlog.txt --------- 135588   
  05/11/2008 10:13 AM	 C:\Windows\msxml4-KB941833-enu.LOG --------- 267344   
  05/10/2008 09:58 AM	 C:\Windows\msxml4-KB936181-enu.LOG --------- 266280   
  05/09/2008 12:07 PM	 C:\Windows\DirectX.log --------- 26869   
  04/30/2008 10:28 AM	 C:\Windows\MEMORY.DMP --------- 170282180   
  04/30/2008 10:25 AM	 C:\Windows\ThreatFire Patch Log.txt --------- 10741   
  04/25/2008 10:48 PM	 C:\Windows\system.ini --------- 215   
  04/19/2008 03:09 AM	 C:\Windows\TSSysprep.log --------- 1313   
  04/18/2008 03:35 PM	 C:\Windows\DPINST.LOG --------- 4544   
  04/18/2008 02:38 PM	 C:\Windows\WindowsShell.Manifest --------- 749   
  04/18/2008 02:37 PM	 C:\Windows\DtcInstall.log --------- 2257   
  04/18/2008 02:16 PM	 C:\Windows\SPInstall.etl --------- 49152   
  01/18/2008 11:33 PM	 C:\Windows\regedit.exe --------- 134656   
  01/18/2008 11:33 PM	 C:\Windows\notepad.exe --------- 151040   
  01/18/2008 11:33 PM	 C:\Windows\HelpPane.exe --------- 498176   
  01/18/2008 11:33 PM	 C:\Windows\fveupdate.exe --------- 13312   
  01/18/2008 11:33 PM	 C:\Windows\explorer.exe --------- 2927104   
  01/18/2008 11:33 PM	 C:\Windows\bfsvc.exe --------- 58880   
  10/25/2007 05:52 AM	 C:\Windows\RtHDVCpl.exe --------- 4702208   
  07/26/2007 10:06 AM	 C:\Windows\RtlUpd.exe --------- 1191936   
  11/02/2006 09:04 PM	 C:\Windows\win.ini --------- 144   
  11/02/2006 08:52 PM	 C:\Windows\setuperr.log --------- 0   
  11/02/2006 08:47 PM	 C:\Windows\SETUPAPI.LOG --------- 94   
  11/02/2006 08:35 PM	 C:\Windows\WMSysPr9.prx --------- 316640   
  11/02/2006 08:34 PM	 C:\Windows\twunk_16.exe --------- 49680   
  11/02/2006 08:34 PM	 C:\Windows\twain_32.dll --------- 50688   
  11/02/2006 08:34 PM	 C:\Windows\twunk_32.exe --------- 31232   
  11/02/2006 08:34 PM	 C:\Windows\twain.dll --------- 94784   
  11/02/2006 05:45 PM	 C:\Windows\winhlp32.exe --------- 9216   
  11/02/2006 05:45 PM	 C:\Windows\hh.exe --------- 14848   
  11/02/2006 03:46 PM	 C:\Windows\mib.bin --------- 43131   
  09/19/2006 07:41 PM	 C:\Windows\HomePremium.xml --------- 8328   
  09/19/2006 05:43 AM	 C:\Windows\_default.pif --------- 707   
  09/19/2006 05:43 AM	 C:\Windows\winhelp.exe --------- 256192   
  09/19/2006 05:30 AM	 C:\Windows\msdfmap.ini --------- 1405   
  08/31/2000 08:00 AM	 C:\Windows\Nircmd.exe --------- 28160   
----------------------------------------

 
C:\Windows\System

 11/02/2006 08:34 PM	  C:\Windows\System\mciseq.drv --------- 25264 
 11/02/2006 08:34 PM	  C:\Windows\System\mciwave.drv --------- 28160 
 11/02/2006 08:34 PM	  C:\Windows\System\avifile.dll --------- 109456 
 11/02/2006 08:34 PM	  C:\Windows\System\avicap.dll --------- 69584 
 11/02/2006 08:34 PM	  C:\Windows\System\mciavi.drv --------- 73376 
 11/02/2006 08:34 PM	  C:\Windows\System\msvideo.dll --------- 126912 
 11/02/2006 03:10 PM	  C:\Windows\System\OLESVR.DLL --------- 24064 
 11/02/2006 03:10 PM	  C:\Windows\System\WFWNET.DRV --------- 12704 
 11/02/2006 03:10 PM	  C:\Windows\System\COMMDLG.DLL --------- 32816 
 11/02/2006 03:10 PM	  C:\Windows\System\TIMER.DRV --------- 4048 
 11/02/2006 03:10 PM	  C:\Windows\System\MMSYSTEM.DLL --------- 68992 
 11/02/2006 03:10 PM	  C:\Windows\System\mmtask.tsk --------- 1152 
 11/02/2006 03:10 PM	  C:\Windows\System\mouse.drv --------- 2032 
 11/02/2006 03:10 PM	  C:\Windows\System\vga.drv --------- 2176 
 11/02/2006 03:10 PM	  C:\Windows\System\sound.drv --------- 1744 
 11/02/2006 03:10 PM	  C:\Windows\System\keyboard.drv --------- 2000 
 11/02/2006 03:10 PM	  C:\Windows\System\SHELL.DLL --------- 5120 
 11/02/2006 03:10 PM	  C:\Windows\System\system.drv --------- 3360 
 09/19/2006 05:43 AM	  C:\Windows\System\ver.dll --------- 9008 
 09/19/2006 05:43 AM	  C:\Windows\System\olecli.dll --------- 82944 
 09/19/2006 05:43 AM	  C:\Windows\System\lzexpand.dll --------- 9936 
 09/19/2006 05:35 AM	  C:\Windows\System\stdole.tlb --------- 5532 
----------------------------------------

 
C:\Windows\System32

 05/30/2008 01:39 PM	 C:\Windows\system32\hjtscanlist.txt --------- 7158  
 05/30/2008 01:32 PM	 C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 --------- 3568  
 05/30/2008 01:32 PM	 C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 --------- 3568  
 05/30/2008 11:46 AM	 C:\Windows\system32\Config.MPF --------- 17443  
 05/30/2008 11:45 AM	 C:\Windows\system32\drivers --------- 57344  
 05/29/2008 10:33 AM	 C:\Windows\system32\MSCOMCTL.OCX --------- 1066176  
 05/28/2008 08:41 PM	 C:\Windows\system32\perfh009.dat --------- 595446  
 05/28/2008 08:41 PM	 C:\Windows\system32\perfc009.dat --------- 101144  
 05/28/2008 08:41 PM	 C:\Windows\system32\PerfStringBackup.INI --------- 690960  
 05/28/2008 11:45 AM	 C:\Windows\system32\catroot --------- 0  
 05/28/2008 11:45 AM	 C:\Windows\system32\catroot2 --------- 8192  
 05/11/2008 10:39 AM	 C:\Windows\system32\Msdtc --------- 4096  
 05/11/2008 10:39 AM	 C:\Windows\system32\wbem --------- 61440  
 05/11/2008 10:38 AM	 C:\Windows\system32\config --------- 12288  
 05/11/2008 10:38 AM	 C:\Windows\system32\spool --------- 4096  
 05/11/2008 10:38 AM	 C:\Windows\system32\Tasks --------- 4096  
 05/10/2008 05:35 AM	 C:\Windows\system32\mrt.exe --------- 16863864  
 05/09/2008 12:29 PM	 C:\Windows\system32\MsiExec.exe.log --------- 297  
 05/08/2008 03:25 PM	 C:\Windows\system32\WDI --------- 4096  
 05/01/2008 12:36 AM	 C:\Windows\system32\LogFiles --------- 0  
 04/28/2008 06:53 PM	 C:\Windows\system32\en-US --------- 253952  
 04/27/2008 04:58 PM	 C:\Windows\system32\jupdate-1.6.0_06-b02.log --------- 6283  
 04/23/2008 06:18 PM	 C:\Windows\system32\Kaspersky Lab --------- 0  
 04/21/2008 06:08 PM	 C:\Windows\system32\jupdate-1.6.0_05-b13.log --------- 6242  
 04/19/2008 11:43 AM	 C:\Windows\system32\FNTCACHE.DAT --------- 263088  
 04/19/2008 01:41 AM	 C:\Windows\system32\Microsoft --------- 0  
 04/19/2008 01:39 AM	 C:\Windows\system32\MPFServiceFailureCount.txt --------- 31  
 04/18/2008 04:27 PM	 C:\Windows\system32\Macromed --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\com --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\XPSViewer --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\da-DK --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\ko-KR --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\de-DE --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\it-IT --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\el-GR --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\oobe --------- 4096  
 04/18/2008 02:32 PM	 C:\Windows\system32\migration --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\sysprep --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\AdvancedInstallers --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\ru-RU --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\ias --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\fr-FR --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\sv-SE --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\he-IL --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\setup --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\fi-FI --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\hu-HU --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\cs-CZ --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\pt-PT --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\SLUI --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\zh-CN --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\en --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\manifeststore --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\es-ES --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\zh-TW --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\ja-JP --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\pl-PL --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\ro-RO --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\tr-TR --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\nb-NO --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\nl-NL --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\ar-SA --------- 0  
 04/18/2008 02:32 PM	 C:\Windows\system32\migwiz --------- 4096  
 04/18/2008 02:32 PM	 C:\Windows\system32\pt-BR --------- 0  
 04/18/2008 02:31 PM	 C:\Windows\system32\Boot --------- 0  
 04/18/2008 02:24 PM	 C:\Windows\system32\RTCOM --------- 0  
 04/18/2008 02:20 PM	 C:\Windows\system32\ifxcardm.dll --------- 101888  
 04/18/2008 02:20 PM	 C:\Windows\system32\axaltocm.dll --------- 82432  
 04/18/2008 02:01 PM	 C:\Windows\system32\SPWizUI.dll --------- 152576  
 04/18/2008 02:01 PM	 C:\Windows\system32\SPReview.exe --------- 47560  
 04/18/2008 01:14 PM	 C:\Windows\system32\ras --------- 0  
 04/18/2008 01:14 PM	 C:\Windows\system32\icsxml --------- 0  
 04/18/2008 01:07 PM	 C:\Windows\system32\rasctrnm.h --------- 1820  
 04/18/2008 12:53 PM	 C:\Windows\system32\kbd106n.dll --------- 6656  
 04/18/2008 12:53 PM	 C:\Windows\system32\winresume.exe --------- 927288  
 04/18/2008 12:53 PM	 C:\Windows\system32\winload.exe --------- 988216  
 04/18/2008 12:53 PM	 C:\Windows\system32\srclient.dll --------- 40960  
 04/18/2008 12:53 PM	 C:\Windows\system32\rstrui.exe --------- 318464  
 04/18/2008 12:53 PM	 C:\Windows\system32\srcore.dll --------- 378368  
 04/18/2008 12:53 PM	 C:\Windows\system32\srdelayed.exe --------- 14848  
 04/18/2008 12:53 PM	 C:\Windows\system32\kd1394.dll --------- 19000  
 04/18/2008 12:53 PM	 C:\Windows\system32\setbcdlocale.dll --------- 46592  
 04/18/2008 12:53 PM	 C:\Windows\system32\ci.dll --------- 615992  
 04/18/2008 12:51 PM	 C:\Windows\system32\win32k.sys --------- 2032128  
 04/18/2008 12:50 PM	 C:\Windows\system32\gdi32.dll --------- 295936  
 04/18/2008 12:44 PM	 C:\Windows\system32\ieapfltr.dat --------- 2455488  
 04/18/2008 12:44 PM	 C:\Windows\system32\wininet.dll --------- 826880  
 04/18/2008 12:44 PM	 C:\Windows\system32\jsproxy.dll --------- 28160  
 04/18/2008 12:44 PM	 C:\Windows\system32\mshtml.dll --------- 3578368  
 04/18/2008 12:44 PM	 C:\Windows\system32\mshtml.tlb --------- 1383424  
 04/18/2008 12:44 PM	 C:\Windows\system32\mstime.dll --------- 671232  
 04/18/2008 12:44 PM	 C:\Windows\system32\urlmon.dll --------- 1166336  
 04/18/2008 12:15 PM	 C:\Windows\system32\restore --------- 0  
 04/18/2008 12:09 PM	 C:\Windows\system32\license.rtf --------- 43530  
 03/28/2008 11:37 PM	 C:\Windows\system32\QuickTimeVR.qtx --------- 90112  
 03/28/2008 11:37 PM	 C:\Windows\system32\QuickTime.qts --------- 57344  
 03/25/2008 02:37 AM	 C:\Windows\system32\javaws.exe --------- 139264  
 03/25/2008 01:28 AM	 C:\Windows\system32\javaw.exe --------- 135168  
 03/25/2008 01:28 AM	 C:\Windows\system32\java.exe --------- 135168  
 03/08/2008 12:21 PM	 C:\Windows\system32\gameux.dll --------- 1695744  
----------------------------------------

 
C:\Windows\Prefetch

 05/30/2008 01:39 PM	 C:\Windows\Prefetch\CMD.EXE-89305D47.pf --------- 23844  
 05/30/2008 01:39 PM	 C:\Windows\Prefetch\DLLHOST.EXE-893DDF55.pf --------- 31406  
 05/30/2008 01:39 PM	 C:\Windows\Prefetch\CONSENT.EXE-65F6206D.pf --------- 65414  
 05/30/2008 01:38 PM	 C:\Windows\Prefetch\NOTEPAD.EXE-3D2AFDB4.pf --------- 21150  
 05/30/2008 01:37 PM	 C:\Windows\Prefetch\SORT.EXE-CDAF7663.pf --------- 15162  
 05/30/2008 01:37 PM	 C:\Windows\Prefetch\WMIPRVSE.EXE-43972D0F.pf --------- 44064  
 05/30/2008 01:37 PM	 C:\Windows\Prefetch\FIND.EXE-162DFE58.pf --------- 13646  
 05/30/2008 01:37 PM	 C:\Windows\Prefetch\CSCRIPT.EXE-E4C98DEB.pf --------- 36416  
 05/30/2008 01:37 PM	 C:\Windows\Prefetch\CONIME.EXE-B273009A.pf --------- 14534  
 05/30/2008 01:37 PM	 C:\Windows\Prefetch\SWREG.EXE-9DDCEE98.pf --------- 14214  
 05/30/2008 01:37 PM	 C:\Windows\Prefetch\SED.EXE-ECDF2DF4.pf --------- 14082  
 05/30/2008 01:37 PM	 C:\Windows\Prefetch\FINDSTR.EXE-4176B665.pf --------- 16498  
 05/30/2008 01:36 PM	 C:\Windows\Prefetch\DANIEL.EXE-F5E60FC5.pf --------- 327568  
 05/30/2008 01:35 PM	 C:\Windows\Prefetch\MD5DEEP.EXE-A4C75B2C.pf --------- 15862  
 05/30/2008 01:35 PM	 C:\Windows\Prefetch\VERCLSID.EXE-4D95F5A7.pf --------- 20642  
 05/30/2008 01:35 PM	 C:\Windows\Prefetch\WINRAR.EXE-E031DE56.pf --------- 43108  
 05/30/2008 01:35 PM	 C:\Windows\Prefetch\SVCHOST.EXE-8FD92526.pf --------- 21636  
 05/30/2008 01:35 PM	 C:\Windows\Prefetch\VSSVC.EXE-04D079CC.pf --------- 29746  
 05/30/2008 01:35 PM	 C:\Windows\Prefetch\DLLHOST.EXE-C5C55E89.pf --------- 38046  
 05/30/2008 01:35 PM	 C:\Windows\Prefetch\DSS.EXE-2315B26C.pf --------- 58860  
 05/30/2008 01:34 PM	 C:\Windows\Prefetch\DLLHOST.EXE-71214090.pf --------- 42880  
 05/30/2008 01:32 PM	 C:\Windows\Prefetch\HIJACKTHIS.EXE-168AC676.pf --------- 31364  
 05/30/2008 01:32 PM	 C:\Windows\Prefetch\SEARCHFILTERHOST.EXE-AA7A1FDD.pf --------- 18726  
 05/30/2008 01:32 PM	 C:\Windows\Prefetch\SEARCHPROTOCOLHOST.EXE-AFAD3EF9.pf --------- 26942  
 05/30/2008 01:10 PM	 C:\Windows\Prefetch\FLASHUTIL9F.EXE-957331B8.pf --------- 25518  
 05/30/2008 01:00 PM	 C:\Windows\Prefetch\TASKENG.EXE-5BAF290C.pf --------- 28866  
 05/30/2008 12:46 PM	 C:\Windows\Prefetch\AgGlFgAppHistory.db --------- 1789668  
 05/30/2008 12:46 PM	 C:\Windows\Prefetch\AgGlFaultHistory.db --------- 804916  
 05/30/2008 12:46 PM	 C:\Windows\Prefetch\AgGlGlobalHistory.db --------- 3117566  
 05/30/2008 12:46 PM	 C:\Windows\Prefetch\AgRobust.db --------- 715392  
 05/30/2008 12:26 PM	 C:\Windows\Prefetch\MPLAYERC.EXE-17C9B4EC.pf --------- 93190  
 05/30/2008 12:17 PM	 C:\Windows\Prefetch\AgGlUAD_P_S-1-5-21-4279582984-1074140112-2786815550-1000.db --------- 897602  
 05/30/2008 12:17 PM	 C:\Windows\Prefetch\AgGlUAD_S-1-5-21-4279582984-1074140112-2786815550-1000.db --------- 727436  
 05/30/2008 12:16 PM	 C:\Windows\Prefetch\MCUPDATE.EXE-0230BC80.pf --------- 34940  
 05/30/2008 12:13 PM	 C:\Windows\Prefetch\IEINSTAL.EXE-6C8EA198.pf --------- 61570  
 05/30/2008 12:03 PM	 C:\Windows\Prefetch\MCUIMGR.EXE-DAC28615.pf --------- 24564  
 05/30/2008 12:02 PM	 C:\Windows\Prefetch\UPDATE.EXE-5A742F55.pf --------- 93732  
 05/30/2008 11:58 AM	 C:\Windows\Prefetch\WERCON.EXE-FE5CD389.pf --------- 46206  
 05/30/2008 11:58 AM	 C:\Windows\Prefetch\WERMGR.EXE-2A1BCBC7.pf --------- 28130  
 05/30/2008 11:55 AM	 C:\Windows\Prefetch\SVCHOST.EXE-F59CA9BD.pf --------- 24522  
 05/30/2008 11:55 AM	 C:\Windows\Prefetch\WSQMCONS.EXE-E2CE6542.pf --------- 1952  
 05/30/2008 11:54 AM	 C:\Windows\Prefetch\FSSM32.EXE-D912E533.pf --------- 247630  
 05/30/2008 11:54 AM	 C:\Windows\Prefetch\FSGK32.EXE-C759E9AD.pf --------- 21436  
 05/30/2008 11:54 AM	 C:\Windows\Prefetch\GATELAUNCHER.EXE-5B30E774.pf --------- 276886  
 05/30/2008 11:49 AM	 C:\Windows\Prefetch\WMIADAP.EXE-369DF1CD.pf --------- 20226  
 05/30/2008 11:49 AM	 C:\Windows\Prefetch\TRUSTEDINSTALLER.EXE-031B6478.pf --------- 31674  
 05/30/2008 11:48 AM	 C:\Windows\Prefetch\MCNASVC.EXE-A50A383D.pf --------- 69710  
 05/30/2008 11:47 AM	 C:\Windows\Prefetch\PCTSGUI.EXE-C1E7E331.pf --------- 63156  
 05/30/2008 11:47 AM	 C:\Windows\Prefetch\MCSYSMON.EXE-FA02FF35.pf --------- 43070  
 05/30/2008 11:47 AM	 C:\Windows\Prefetch\USNSVC.EXE-42F10D33.pf --------- 19980  
 05/30/2008 11:46 AM	 C:\Windows\Prefetch\INFOCARD.EXE-0C9B4CAB.pf --------- 33146  
 05/30/2008 11:46 AM	 C:\Windows\Prefetch\WLLOGINPROXY.EXE-E9051163.pf --------- 52174  
 05/30/2008 11:46 AM	 C:\Windows\Prefetch\IEXPLORE.EXE-1B894AFB.pf --------- 190932  
 05/30/2008 11:46 AM	 C:\Windows\Prefetch\IEUSER.EXE-D895AB54.pf --------- 47900  
 05/30/2008 11:46 AM	 C:\Windows\Prefetch\IPODSERVICE.EXE-FE1A6FF7.pf --------- 22176  
 05/30/2008 11:46 AM	 C:\Windows\Prefetch\MCMSCSVC.EXE-7AB4A647.pf --------- 40158  
 05/30/2008 11:46 AM	 C:\Windows\Prefetch\WMPNETWK.EXE-BD0344CA.pf --------- 81196  
 05/30/2008 11:46 AM	 C:\Windows\Prefetch\WMPLAYER.EXE-9DE758AE.pf --------- 74658  
 05/30/2008 11:46 AM	 C:\Windows\Prefetch\MCAGENT.EXE-9DD1A779.pf --------- 18174  
 05/30/2008 11:46 AM	 C:\Windows\Prefetch\WMPNSCFG.EXE-DF1DD51A.pf --------- 16720  
 05/30/2008 11:46 AM	 C:\Windows\Prefetch\NTOSBOOT-B00DFAAD.pf --------- 1636412  
 05/30/2008 11:43 AM	 C:\Windows\Prefetch\PfSvPerfStats.bin --------- 508  
 05/30/2008 11:43 AM	 C:\Windows\Prefetch\LOGONUI.EXE-1BEE4A84.pf --------- 34212  
 05/30/2008 11:43 AM	 C:\Windows\Prefetch\OTCLEANIT.EXE-CC66B7D1.pf --------- 36792  
 05/30/2008 11:40 AM	 C:\Windows\Prefetch\_IU14D2N.TMP-077ED58E.pf --------- 28530  
 05/30/2008 11:40 AM	 C:\Windows\Prefetch\DLLHOST.EXE-928474CF.pf --------- 27824  
 05/30/2008 11:40 AM	 C:\Windows\Prefetch\UNINS000.EXE-2D3483EE.pf --------- 26984  
 05/30/2008 11:40 AM	 C:\Windows\Prefetch\REGSVR32.EXE-55A4EE79.pf --------- 28050  
 05/30/2008 11:40 AM	 C:\Windows\Prefetch\MBAMTRAYCTRL.EXE-C6064BBF.pf --------- 16410  
 05/30/2008 11:40 AM	 C:\Windows\Prefetch\MBAM.EXE-F6B767D6.pf --------- 60026  
 05/30/2008 11:39 AM	 C:\Windows\Prefetch\DLLHOST.EXE-7D2183B8.pf --------- 36294  
 05/30/2008 11:37 AM	 C:\Windows\Prefetch\MCSYSMON.EXE-B83A0C51.pf --------- 49856  
 05/30/2008 11:37 AM	 C:\Windows\Prefetch\UNINS000.EXE-98FBD3A7.pf --------- 26882  
 05/30/2008 11:36 AM	 C:\Windows\Prefetch\MOBSYNC.EXE-D8BC6ED2.pf --------- 34206  
 05/30/2008 11:30 AM	 C:\Windows\Prefetch\RUNDLL32.EXE-41E85287.pf --------- 31482  
 05/30/2008 11:30 AM	 C:\Windows\Prefetch\CLEANMGR.EXE-B508FB28.pf --------- 106136  
 05/30/2008 11:28 AM	 C:\Windows\Prefetch\FIREFOX.EXE-25FC0A66.pf --------- 138240  
 05/30/2008 11:28 AM	 C:\Windows\Prefetch\RUNDLL32.EXE-A0BEFB14.pf --------- 55696  
 05/30/2008 11:27 AM	 C:\Windows\Prefetch\RUNDLL32.EXE-A6BC5652.pf --------- 93724  
 05/30/2008 11:26 AM	 C:\Windows\Prefetch\CONTROL.EXE-9459D5A0.pf --------- 28114  
 05/30/2008 11:25 AM	 C:\Windows\Prefetch\TFGUI.EXE-6FD77F61.pf --------- 149484  
 05/30/2008 11:25 AM	 C:\Windows\Prefetch\MCSHELL.EXE-D4887F49.pf --------- 89798  
 05/30/2008 11:24 AM	 C:\Windows\Prefetch\MCVSSHLD.EXE-4CF152BC.pf --------- 28516  
 05/30/2008 11:24 AM	 C:\Windows\Prefetch\MCODS.EXE-FB682BFA.pf --------- 140234  
 05/30/2008 11:24 AM	 C:\Windows\Prefetch\MCSVRCNT.EXE-AF786231.pf --------- 56284  
 05/30/2008 11:24 AM	 C:\Windows\Prefetch\MCUPDMGR.EXE-E739D674.pf --------- 171126  
 05/30/2008 11:24 AM	 C:\Windows\Prefetch\HWUPDCHK.EXE-55D43B49.pf --------- 41848  
 05/30/2008 11:24 AM	 C:\Windows\Prefetch\MCUPDATE.EXE-1D3D9B9D.pf --------- 45092  
 05/30/2008 11:24 AM	 C:\Windows\Prefetch\MCSYNC.EXE-B4644EB5.pf --------- 41286  
 05/30/2008 11:24 AM	 C:\Windows\Prefetch\MCINFO.EXE-5B5B97DD.pf --------- 48682  
 05/30/2008 11:24 AM	 C:\Windows\Prefetch\MCVSMAP.EXE-AD395C53.pf --------- 17980  
 05/30/2008 11:24 AM	 C:\Windows\Prefetch\TFUD.EXE-CD05DF95.pf --------- 37162  
 05/30/2008 11:23 AM	 C:\Windows\Prefetch\MCHOST.EXE-18DBEE1D.pf --------- 25460  
 05/30/2008 11:20 AM	 C:\Windows\Prefetch\MIRC.EXE-701A1026.pf --------- 45018  
 05/30/2008 11:20 AM	 C:\Windows\Prefetch\AGENTSVR.EXE-2DB83BDE.pf --------- 19810  
 05/30/2008 12:47 AM	 C:\Windows\Prefetch\BSPLAYER.EXE-9CADB650.pf --------- 91022  
 05/30/2008 12:46 AM	 C:\Windows\Prefetch\RUNDLL32.EXE-3FCBF927.pf --------- 20386  
 05/30/2008 12:44 AM	 C:\Windows\Prefetch\RUNDLL32.EXE-CC74A1C3.pf --------- 20702  
 05/29/2008 11:39 PM	 C:\Windows\Prefetch\NOTEPAD.EXE-EB1B961A.pf --------- 24150  
 05/29/2008 11:39 PM	 C:\Windows\Prefetch\MSIEXEC.EXE-B5AFA339.pf --------- 49656  
 05/29/2008 11:39 PM	 C:\Windows\Prefetch\MSVS.EXE-1F7FBBC6.pf --------- 113298  
 05/29/2008 11:28 PM	 C:\Windows\Prefetch\layout.ini --------- 762768  
 05/29/2008 10:44 PM	 C:\Windows\Prefetch\MCSVRCNT.EXE-4DE69EA4.pf --------- 58120  
 05/29/2008 10:44 PM	 C:\Windows\Prefetch\MCINFO.EXE-836A2380.pf --------- 49720  
 05/29/2008 10:44 PM	 C:\Windows\Prefetch\MCVSMAP.EXE-D084C2CF.pf --------- 27700  
 05/29/2008 10:43 PM	 C:\Windows\Prefetch\MSNMSGR.EXE-DD43BBF4.pf --------- 93068  
 05/29/2008 03:24 PM	 C:\Windows\Prefetch\MSFEEDSSYNC.EXE-1F01ED17.pf --------- 20982  
 05/29/2008 03:01 PM	 C:\Windows\Prefetch\MCUPDUI.EXE-444F9B87.pf --------- 42104  
 05/29/2008 03:01 PM	 C:\Windows\Prefetch\MCINSUPD.EXE-F04E58EF.pf --------- 194866  
 05/29/2008 03:00 PM	 C:\Windows\Prefetch\MCUPDMGR.EXE-85A812E7.pf --------- 130808  
 05/29/2008 02:04 PM	 C:\Windows\Prefetch\SWREG.EXE-D6527589.pf --------- 14142  
 05/29/2008 02:04 PM	 C:\Windows\Prefetch\SED.EXE-DE96FBF5.pf --------- 14022  
 05/29/2008 02:03 PM	 C:\Windows\Prefetch\MD5DEEP.EXE-55E67C0D.pf --------- 15500  
 05/29/2008 02:01 PM	 C:\Windows\Prefetch\SWREG.EXE-8C235260.pf --------- 14142  
 05/29/2008 02:01 PM	 C:\Windows\Prefetch\SED.EXE-3FD08E3C.pf --------- 14022  
 05/29/2008 02:01 PM	 C:\Windows\Prefetch\MD5DEEP.EXE-AA2A0A74.pf --------- 15656  
 05/29/2008 01:59 PM	 C:\Windows\Prefetch\RUNDLL32.EXE-31EB8D66.pf --------- 20486  
 05/29/2008 01:52 PM	 C:\Windows\Prefetch\MPFALERT.EXE-CE946324.pf --------- 46012  
 05/29/2008 01:52 PM	 C:\Windows\Prefetch\MBAM-SETUP.TMP-9C4B8E95.pf --------- 23698  
 05/29/2008 01:52 PM	 C:\Windows\Prefetch\MBAM-SETUP.EXE-86A292F1.pf --------- 25894  
 05/29/2008 01:52 PM	 C:\Windows\Prefetch\MBAM-SETUP.TMP-BFE73D4B.pf --------- 25422  
 05/29/2008 01:49 PM	 C:\Windows\Prefetch\SED.EXE-F0748C26.pf --------- 13860  
 05/29/2008 01:48 PM	 C:\Windows\Prefetch\SWREG.EXE-FAE04BAA.pf --------- 14154  
 05/29/2008 01:47 PM	 C:\Windows\Prefetch\MD5DEEP.EXE-622CA91E.pf --------- 15310  
 05/29/2008 11:24 AM	 C:\Windows\Prefetch\AgAppLaunch.db --------- 332116  
----------------------------------------

 
C:\Windows\Tasks

 05/30/2008 11:45 AM	 C:\Windows\Tasks\RegCure Program Check.job --------- 440  
 05/30/2008 11:45 AM	 C:\Windows\Tasks\SA.DAT --------- 6  
 05/30/2008 11:43 AM	 C:\Windows\Tasks\SCHEDLGU.TXT --------- 32570  
 05/29/2008 10:39 PM	 C:\Windows\Tasks\User_Feed_Synchronization-{54C04306-396D-428A-A04D-8B1A362526F2}.job --------- 424  
 05/01/2008 03:24 AM	 C:\Windows\Tasks\RegCure.job --------- 374  
 05/01/2008 01:00 AM	 C:\Windows\Tasks\McQcTask.job --------- 334  
 04/19/2008 10:12 AM	 C:\Windows\Tasks\McDefragTask.job --------- 342  
----------------------------------------

 
C:\Windows\Temp

 05/30/2008 11:50 AM	 C:\Windows\Temp\mcmsc_y3iewZ7TX91g4KY --------- 1024  
 05/30/2008 11:50 AM	 C:\Windows\Temp\mcmsc_H3wFWw4xzCz9MTv --------- 1024  
 05/30/2008 11:46 AM	 C:\Windows\Temp\mcmsc_njkf0V2tTUq6xh6 --------- 1024  
 05/30/2008 11:46 AM	 C:\Windows\Temp\mcafee_XcLnYr0B2fdlvvJ --------- 2048  
 05/30/2008 11:46 AM	 C:\Windows\Temp\mcmsc_RNeC0adoIIQEZXz --------- 0  
----------------------------------------

 
C:\Users\Daniel\AppData\Local\Temp

 05/30/2008 01:38 PM	 C:\Users\Daniel\AppData\Local\Temp\~ruvaize.tmp --------- 8192  
 05/30/2008 01:11 PM	 C:\Users\Daniel\AppData\Local\Temp\Low --------- 4096  
 05/30/2008 11:54 AM	 C:\Users\Daniel\AppData\Local\Temp\nvcbin.def.AB37B891.TMP --------- 946972  
----------------------------------------

 
C:\Program Files

 05/28/2008 09:14 PM	 C:\Program Files\Yahoo --------- 0  
 05/25/2008 03:49 AM	 C:\Program Files\InstallShield Installation Information --------- 0  
 05/23/2008 11:04 AM	 C:\Program Files\SiteAdvisor --------- 0  
 05/22/2008 05:12 PM	 C:\Program Files\Windows Live Safety Center --------- 4096  
 05/20/2008 01:47 PM	 C:\Program Files\Microsoft Silverlight --------- 0  
 05/14/2008 10:55 AM	 C:\Program Files\Windows Mail --------- 4096  
 05/10/2008 09:57 AM	 C:\Program Files\MSXML 4.0 --------- 0  
 05/09/2008 12:28 PM	 C:\Program Files\NeroInstall.bak --------- 0  
 05/09/2008 12:11 PM	 C:\Program Files\Nero --------- 0  
 05/09/2008 12:11 PM	 C:\Program Files\Common Files --------- 4096  
 05/01/2008 09:37 PM	 C:\Program Files\Canon --------- 0  
 04/27/2008 04:58 PM	 C:\Program Files\Java --------- 4096  
 04/25/2008 09:56 PM	 C:\Program Files\Mozilla Firefox --------- 8192  
 04/21/2008 08:55 PM	 C:\Program Files\AviSynth 2.5 --------- 0  
 04/19/2008 03:20 PM	 C:\Program Files\Adobe --------- 4096  
 04/19/2008 11:43 AM	 C:\Program Files\McAfee --------- 0  
 04/19/2008 01:58 AM	 C:\Program Files\McAfee.com --------- 0  
 04/18/2008 04:18 PM	 C:\Program Files\uTorrent --------- 0  
 04/18/2008 03:59 PM	 C:\Program Files\iPod --------- 0  
 04/18/2008 03:57 PM	 C:\Program Files\Bonjour --------- 0  
 04/18/2008 03:57 PM	 C:\Program Files\Internet Explorer --------- 4096  
 04/18/2008 03:57 PM	 C:\Program Files\QuickTime --------- 4096  
 04/18/2008 03:56 PM	 C:\Program Files\Apple Software Update --------- 4096  
 04/18/2008 03:45 PM	 C:\Program Files\Microsoft Works --------- 0  
 04/18/2008 03:45 PM	 C:\Program Files\Microsoft Office --------- 4096  
 04/18/2008 03:45 PM	 C:\Program Files\Microsoft.NET --------- 0  
 04/18/2008 03:37 PM	 C:\Program Files\Messenger Plus Live --------- 4096  
 04/18/2008 03:35 PM	 C:\Program Files\Windows Live --------- 0  
 04/18/2008 03:14 PM	 C:\Program Files\Microsoft IntelliType Pro --------- 4096  
 04/18/2008 03:10 PM	 C:\Program Files\Microsoft IntelliPoint --------- 8192  
 04/18/2008 02:38 PM	 C:\Program Files\desktop.ini --------- 174  
 04/18/2008 02:32 PM	 C:\Program Files\Windows Calendar --------- 0  
 04/18/2008 02:32 PM	 C:\Program Files\Windows Sidebar --------- 4096  
 04/18/2008 02:32 PM	 C:\Program Files\Movie Maker --------- 0  
 04/18/2008 02:32 PM	 C:\Program Files\Windows Media Player --------- 4096  
 04/18/2008 02:32 PM	 C:\Program Files\Windows Collaboration --------- 0  
 04/18/2008 02:32 PM	 C:\Program Files\Windows Journal --------- 0  
 04/18/2008 02:32 PM	 C:\Program Files\Windows Photo Gallery --------- 4096  
 04/18/2008 02:32 PM	 C:\Program Files\Windows Defender --------- 4096  
 04/18/2008 01:27 PM	 C:\Program Files\CONEXANT --------- 0  
 11/02/2006 09:01 PM	 C:\Program Files\Uninstall Information --------- 0  
 11/02/2006 08:37 PM	 C:\Program Files\Microsoft Games --------- 0  
 11/02/2006 08:37 PM	 C:\Program Files\Windows NT --------- 0  
 11/02/2006 08:37 PM	 C:\Program Files\MSBuild --------- 0  
 11/02/2006 08:37 PM	 C:\Program Files\Reference Assemblies --------- 0  
----------------------------------------

 
C:\ProgramData\.. 

Daniel	
Public	
desktop.ini	
Default User	
All Users	
Default	
----------------------------------------

 
C:\Windows\system32\drivers\etc\hosts

127.0.0.1	   localhost
::1			 localhost

----------------------------------------

 

Image Name					 PID Session Name		Session#	Mem Usage
========================= ======== ================ =========== ============
System Idle Process			  0 Services				   0		 24 K
System						   4 Services				   0	 10,384 K
smss.exe					   424 Services				   0		548 K
csrss.exe					  540 Services				   0	  5,740 K
wininit.exe					584 Services				   0	  3,944 K
csrss.exe					  604 Console					1	 12,652 K
services.exe				   636 Services				   0	  6,996 K
lsass.exe					  652 Services				   0	  8,376 K
lsm.exe						660 Services				   0	  4,088 K
svchost.exe					816 Services				   0	  6,608 K
svchost.exe					876 Services				   0	  6,376 K
winlogon.exe				   916 Console					1	  4,772 K
svchost.exe				   1000 Services				   0	 12,508 K
svchost.exe				   1024 Services				   0	 71,228 K
svchost.exe				   1036 Services				   0	 35,504 K
audiodg.exe				   1140 Services				   0	 18,580 K
SLsvc.exe					 1208 Services				   0	  3,716 K
svchost.exe				   1276 Services				   0	 10,112 K
svchost.exe				   1440 Services				   0	 10,644 K
spoolsv.exe				   1672 Services				   0	  7,756 K
svchost.exe				   1720 Services				   0	  9,404 K
dwm.exe					   1896 Console					1	 84,764 K
explorer.exe				  1932 Console					1	 41,012 K
taskeng.exe				   1964 Console					1	 10,092 K
RtHDVCpl.exe				  1128 Console					1	  5,720 K
rundll32.exe				  1916 Console					1	  4,136 K
ipoint.exe					2040 Console					1		832 K
itype.exe					  432 Console					1		352 K
iTunesHelper.exe			   240 Console					1	  5,600 K
gnotify.exe				   1548 Console					1	 10,004 K
mcagent.exe					688 Console					1		348 K
SiteAdv.exe				   1948 Console					1	 10,704 K
jusched.exe				   1620 Console					1	  3,608 K
taskeng.exe				   1332 Services				   0	  5,916 K
MaxMenuMgrBasics.exe		  1152 Console					1	  4,664 K
ehtray.exe					1452 Console					1	  2,324 K
sidebar.exe				   1408 Console					1	 25,876 K
msnmsgr.exe				   1384 Console					1	 20,984 K
wmpnscfg.exe				  1688 Console					1	  4,616 K
AppleMobileDeviceService.	 2248 Services				   0	  3,408 K
SyncServicesBasics.exe		2308 Services				   0	  4,116 K
mDNSResponder.exe			 2328 Services				   0	  3,556 K
mxtask.exe					2460 Services				   0	  5,920 K
McProxy.exe				   2608 Services				   0		692 K
Mcshield.exe				  2632 Services				   0	 36,720 K
MpfSrv.exe					2692 Services				   0	  5,144 K
svchost.exe				   2800 Services				   0	  4,248 K
pctsAuxs.exe				  2864 Services				   0		788 K
ehmsas.exe					3028 Console					1	  3,900 K
mxtask.exe					3068 Console					1	  6,720 K
pctsSvc.exe				   3164 Services				   0	 24,292 K
SAService.exe				 3440 Services				   0	  4,736 K
pctsTray.exe				  3448 Console					1	  1,592 K
dpupdchk.exe				  3456 Console					1	  4,148 K
svchost.exe				   3496 Services				   0	  5,552 K
TFService.exe				 3528 Services				   0	  3,868 K
svchost.exe				   3576 Services				   0	  2,800 K
SearchIndexer.exe			 3624 Services				   0	  9,436 K
WUDFHost.exe				  3676 Services				   0	  4,936 K
XAudio.exe					3740 Services				   0	  2,672 K
rundll32.exe				  3912 Console					1	  5,340 K
wmpnetwk.exe				   984 Services				   0	  7,920 K
mcmscsvc.exe				  3704 Services				   0	  6,000 K
iPodService.exe			   3512 Services				   0	  4,580 K
ieuser.exe					5020 Console					1	 20,220 K
iexplore.exe				  5040 Console					1	300,128 K
WLLoginProxy.exe			  5264 Console					1	  9,504 K
usnsvc.exe					5920 Services				   0	  4,560 K
mcsysmon.exe				  4756 Services				   0	  4,720 K
McNASvc.exe				   5572 Services				   0	  7,824 K
gatelauncher.exe			  5796 Console					1	  8,208 K
fsgk32.exe					4792 Console					1	  9,176 K
fssm32.exe					4744 Console					1	 70,484 K
svchost.exe				   1796 Services				   0	  7,860 K
FlashUtil9f.exe			   2480 Console					1	  6,216 K
svchost.exe				   4708 Services				   0	  7,732 K
conime.exe					2184 Console					1		 80 K
conime.exe					2496 Console					1	  4,692 K
cmd.exe					   5492 Console					1	  5,680 K
tasklist.exe				  5516 Console					1	  5,764 K
WmiPrvSE.exe				  5668 Services				   0	  7,016 K

 
***** Ende des Scans Fri 05/30/2008 um 13:40:36.12 ***


#11 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:55 AM

Posted 01 June 2008 - 02:11 AM

Hey Cloud_D,

Step #1

sorry for the delay. Please navigate to and delete the following:

HJTScanlist.zip
C:\delete.bat
C:\NoLop.log
C:\VundoFix.txt
C:\ComboFix.txt
C:\Windows\system32\hjtscanlist.txt


Step #2

It appears you have used ComboFix before we started this thread. If you still have the programme on your system:

Please navigate to: Start >> Run... and type Combofix /u and hit Enter. Thanks.

Step #3

Please also have a look at the following links, giving some advice and suggestions for preventing future infections:I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atl east one of them (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself. Should you experience any difficulties in updating your Hosts file, you may wish to visit this link: "Updating the HOSTS file in Windows Vista"
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#12 Cloud_D

Cloud_D
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 01 June 2008 - 06:47 AM

Thanks for the help!

I have one last question though; what do I do with Erunt? Thanks again!

#13 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:55 AM

Posted 01 June 2008 - 06:54 AM

I dont see no harm in leaving it on your system, but if you wish to uninstall it:

Uninstallation
--------------

Use "Add/Remove Programs" in Windows' control panel to remove ERUNT
from your computer.

Or, if you downloaded the zipped version: Delete the ERUNT folder,
delete the appropriate desktop icons.

(You may also want to delete all restore folders you have previously
created with the program.)

http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#14 Cloud_D

Cloud_D
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 01 June 2008 - 09:51 AM

Thanks again for the help! =)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users