Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Vundo Xf And Darksma


  • This topic is locked This topic is locked
7 replies to this topic

#1 sharpy1977

sharpy1977

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 16 May 2008 - 03:31 PM

Hello

The problem i have is that Vundo has been on the computer for a few weeks and until now i have not been able to remove it. When i scan for virus/spyware (using Virgin PC guard, Ad-Aware 2007) they find the problems but when i try to remove the infections they dont go away. I also tried VundoFix.exe and i get the same result, it doesnt go away.

Since Vundo appeared i keep getting taken to websites for casinos, spyware removal, porn removal etc. basically unwanted site that just start up themselves. Lately i also find Darksma when i scan and it also doesnt go away.

I now use Firefox as IE7 takes ages to change pages. by ages i mean i left a page for 10 mins and when i went back it still hadnt loaded any further so i cannot use IE at all.

I hope you can help!

Here are my DSS reports. I never ran Kaspersky scan as it said i should use IE and as i have said its impossible to use.

Deckard's System Scanner v20071014.68
Run by Gordon on 2008-05-16 20:43:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
88: 2008-05-16 19:44:11 UTC - RP199 - Deckard's System Scanner Restore Point
87: 2008-05-14 18:45:49 UTC - RP198 - Software Distribution Service 3.0
86: 2008-05-11 19:30:09 UTC - RP197 - System Checkpoint
85: 2008-05-08 20:32:23 UTC - RP196 - Software Distribution Service 3.0
84: 2008-05-05 21:09:24 UTC - RP195 - Installed Windows Live Toolbar


-- First Restore Point --
1: 2008-04-13 23:39:47 UTC - RP112 - Installed Router Toolbox


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Gordon.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:46:19, on 16/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\AzureWave\Wireless Audio\WirelessAudioUtility.exe
C:\Program Files\AzureWave\Router Toolbox\RouterToolbox.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\PrtlAgt.exe
C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gordon\Desktop\dss.exe
C:\HJT\Gordon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\system32\qajsovfl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {a26a9891-9c49-8919-31d4-ae278a4c3018} - {8103c4a8-72ea-4d13-9198-94c91989a62a} - C:\WINDOWS\system32\gcbdqulg.dll
O2 - BHO: (no name) - {A4D13F30-55A5-49BB-8B90-2A71EA9673A9} - C:\WINDOWS\system32\nnnNGXOF.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {D5AA4BEF-D7B7-4D57-9614-65CA882056DB} - C:\WINDOWS\system32\byXOiFWo.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {1962c5bc-e475-465b-823b-133e711bceb9} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [415a9d4c] rundll32.exe "C:\WINDOWS\system32\foqiakmo.dll",b
O4 - HKLM\..\Run: [BM4269aed0] Rundll32.exe "C:\WINDOWS\system32\aeldbvok.dll",s
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [WirelessAudioUtility] "C:\Program Files\AzureWave\Wireless Audio\WirelessAudioUtility.exe" 1
O4 - HKCU\..\Run: [RouterToolbox] C:\Program Files\AzureWave\Router Toolbox\RouterToolbox.exe /autoRun
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: STK014 PNP Monitor.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=presario&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195075508687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196621928890
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab
O20 - Winlogon Notify: nnnNGXOF - C:\WINDOWS\SYSTEM32\nnnNGXOF.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe

--
End of file - 13314 bytes

-- HijackThis Fixed Entries (C:\HJT\backups\) ----------------------------------

backup-20080501-204413-611 O4 - HKLM\..\Run: [BM4269aed0] Rundll32.exe "C:\WINDOWS\system32\actnbjal.dll",s

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 oflpydin - c:\docume~1\gordon\locals~1\temp\oflpydin.sys (file missing)
S3 se44bus (Sony Ericsson Device 068 driver (WDM)) - c:\windows\system32\drivers\se44bus.sys <Not Verified; MCCI; Sony Ericsson Device 068>
S3 se44mdfl (Sony Ericsson Device 068 USB WMC Modem Filter) - c:\windows\system32\drivers\se44mdfl.sys <Not Verified; MCCI; Sony Ericsson Device 068 USB WMC Modem Filter Driver>
S3 se44mdm (Sony Ericsson Device 068 USB WMC Modem Driver) - c:\windows\system32\drivers\se44mdm.sys <Not Verified; MCCI; Sony Ericsson Device 068 USB WMC Data Modem>
S3 se44mgmt (Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\se44mgmt.sys <Not Verified; MCCI; Sony Ericsson Device 068 USB WMC Device Management>
S3 se44nd5 (Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS)) - c:\windows\system32\drivers\se44nd5.sys <Not Verified; MCCI; Sony Ericsson Device 068 USB Ethernet Emulation>
S3 se44obex (Sony Ericsson Device 068 USB WMC OBEX Interface) - c:\windows\system32\drivers\se44obex.sys <Not Verified; MCCI; Sony Ericsson Device 068 USB WMC OBEX Interface>
S3 se44unic (Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM)) - c:\windows\system32\drivers\se44unic.sys <Not Verified; MCCI; Sony Ericsson Device 068 USB Ethernet Emulation>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-16 20:25:07 256 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-05-16 19:23:43 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-04-03 11:51:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-16 and 2008-05-16 -----------------------------

2008-05-16 17:21:26 102464 --a------ C:\WINDOWS\system32\gcbdqulg.dll
2008-05-16 17:15:26 90688 --a------ C:\WINDOWS\system32\foqiakmo.dll
2008-05-16 17:09:26 96832 --a------ C:\WINDOWS\system32\aeldbvok.dll
2008-05-16 17:06:27 53312 --a------ C:\WINDOWS\system32\qajsovfl.dll
2008-05-16 17:04:34 3648 --a------ C:\WINDOWS\system32\nlxoqgsl.dll
2008-05-14 12:49:56 91712 -----n--- C:\WINDOWS\system32\fwgoqcrt.dll
2008-05-14 12:43:55 100928 --a------ C:\WINDOWS\system32\rtewsngd.dll
2008-05-14 12:40:55 99392 --a------ C:\WINDOWS\system32\tqnjhbva.dll
2008-05-14 12:37:56 3648 --a------ C:\WINDOWS\system32\pkhxdmdo.dll
2008-05-14 12:37:10 53312 --a------ C:\WINDOWS\system32\beagboys.dll
2008-05-14 12:32:47 0 d-------- C:\Documents and Settings\Carolyn\Application Data\Mozilla
2008-05-11 22:07:53 101952 --a------ C:\WINDOWS\system32\uvrkqapk.dll
2008-05-11 22:01:53 91712 -----n--- C:\WINDOWS\system32\lfclqoxv.dll
2008-05-11 21:58:53 98368 --a------ C:\WINDOWS\system32\oidfvwqn.dll
2008-05-11 21:55:53 53312 --a------ C:\WINDOWS\system32\ockgcnvh.dll
2008-05-10 22:06:39 102464 --a------ C:\WINDOWS\system32\gwuevthj.dll
2008-05-10 21:57:39 53312 --a------ C:\WINDOWS\system32\hflcuepj.dll
2008-05-10 21:55:04 100416 --a------ C:\WINDOWS\system32\kdoadmpy.dll
2008-05-09 22:33:31 0 d-------- C:\Program Files\Orb Networks
2008-05-09 22:05:00 102976 --a------ C:\WINDOWS\system32\onenipvw.dll
2008-05-09 21:56:00 98368 --a------ C:\WINDOWS\system32\ahfptmxl.dll
2008-05-09 21:53:54 53312 --a------ C:\WINDOWS\system32\mpvftvug.dll
2008-05-08 21:32:01 101440 --a------ C:\WINDOWS\system32\qsnxjglo.dll
2008-05-08 21:29:00 90176 -----n--- C:\WINDOWS\system32\lseqruam.dll
2008-05-08 21:26:01 99904 --a------ C:\WINDOWS\system32\drmbgyew.dll
2008-05-08 21:23:56 53312 --a------ C:\WINDOWS\system32\bdqpbbgq.dll
2008-05-05 22:12:27 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-05-05 22:09:27 0 d-------- C:\Program Files\Windows Live Toolbar
2008-05-05 22:02:58 107584 --a------ C:\WINDOWS\system32\uwnffhbd.dll
2008-05-05 21:59:55 53312 --a------ C:\WINDOWS\system32\lqdnipqn.dll
2008-05-05 21:59:28 104000 --a------ C:\WINDOWS\system32\qwjxkmbw.dll
2008-05-04 22:52:38 0 d-------- C:\Program Files\Pando Networks
2008-05-04 12:47:03 108096 --a------ C:\WINDOWS\system32\whktpygx.dll
2008-05-04 12:44:03 95296 -----n--- C:\WINDOWS\system32\begavdmw.dll
2008-05-04 12:42:33 104512 --a------ C:\WINDOWS\system32\rnyormxa.dll
2008-05-04 12:42:09 53312 --a------ C:\WINDOWS\system32\kkekrfip.dll
2008-05-02 21:59:59 0 d-------- C:\Documents and Settings\LocalService\Application Data\Virgin Broadband
2008-05-02 21:45:16 105536 --a------ C:\WINDOWS\system32\nsivivyf.dll
2008-05-02 21:39:13 105536 --a------ C:\WINDOWS\system32\yswfnuha.dll
2008-05-02 21:36:33 53312 --a------ C:\WINDOWS\system32\sfpktrpu.dll
2008-05-01 20:23:40 0 d-------- C:\HJT
2008-05-01 18:51:12 0 d------c- C:\VundoFix Backups
2008-05-01 18:11:02 3914 --a------ C:\WINDOWS\system32\xmsnorqr.dll
2008-05-01 18:10:07 3914 --a------ C:\WINDOWS\system32\fpubywpi.dll
2008-04-27 22:39:06 107072 --a------ C:\WINDOWS\system32\mnqrqpsu.dll
2008-04-27 22:33:06 53312 --a------ C:\WINDOWS\system32\eiweuxme.dll
2008-04-27 22:30:20 105024 -----n--- C:\WINDOWS\system32\actnbjal.dll
2008-04-27 21:59:06 0 d-------- C:\Program Files\iPhoneBrowser
2008-04-27 17:56:31 0 d-------- C:\Program Files\XoftSpySE
2008-04-27 11:09:05 0 d-------- C:\Program Files\7-Zip
2008-04-26 22:56:34 0 d-------- C:\Program Files\WinSCP
2008-04-26 22:38:08 107072 --a------ C:\WINDOWS\system32\hryxqhri.dll
2008-04-26 22:35:08 95808 -----n--- C:\WINDOWS\system32\hfxfwahu.dll
2008-04-26 22:32:09 106048 --a------ C:\WINDOWS\system32\oyuiosqv.dll
2008-04-26 22:29:36 53312 --a------ C:\WINDOWS\system32\ylbxkjcb.dll
2008-04-24 23:05:37 0 d------c- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
2008-04-24 22:36:01 0 d-------- C:\Program Files\GlobalSCAPE
2008-04-24 21:54:47 96320 --a------ C:\WINDOWS\system32\bxumniqg.dll
2008-04-24 21:54:41 53312 --a------ C:\WINDOWS\system32\gucxrnij.dll
2008-04-23 22:00:45 89152 -----n--- C:\WINDOWS\system32\hijjicjg.dll
2008-04-23 21:57:46 93248 --a------ C:\WINDOWS\system32\wtiyvfmo.dll
2008-04-23 21:54:45 95808 --a------ C:\WINDOWS\system32\bsedyehr.dll
2008-04-23 21:52:12 53312 --a------ C:\WINDOWS\system32\nodxnals.dll
2008-04-18 21:56:07 101888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-04-18 21:56:04 0 d-------- C:\Program Files\SoftwareClub.ws
2008-04-18 21:40:40 87616 -----n--- C:\WINDOWS\system32\tbsprvju.dll
2008-04-18 21:40:33 53312 --a------ C:\WINDOWS\system32\xjclclrt.dll
2008-04-18 21:37:44 96320 --a------ C:\WINDOWS\system32\oagwxwfg.dll
2008-04-17 19:36:43 0 d-------- C:\Program Files\Lavasoft
2008-04-17 19:36:43 0 d------c- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-17 19:34:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-17 19:01:12 0 d--hs---- C:\Documents and Settings\LocalService\Temporary Internet Files
2008-04-17 19:01:12 0 d--hs---- C:\Documents and Settings\LocalService\History
2008-04-17 18:45:10 0 d-------- C:\Program Files\Windows Live Safety Center
2008-04-16 23:05:44 0 d-------- C:\Program Files\Windows Defender
2008-04-16 22:56:58 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-04-16 20:58:54 94272 --a------ C:\WINDOWS\system32\wtresqkx.dll
2008-04-16 20:55:41 95808 --a------ C:\WINDOWS\system32\sqlemfaj.dll


-- Find3M Report ---------------------------------------------------------------

2008-05-16 20:46:01 990576 --ahs---- C:\WINDOWS\system32\oWFiOXyb.ini2
2008-05-16 20:44:09 84508 --a------ C:\Documents and Settings\Gordon\Application Data\.googlewebacchosts
2008-05-16 18:09:38 0 d-------- C:\Documents and Settings\Gordon\Application Data\BitTorrent
2008-05-14 18:54:23 600 --a------ C:\Documents and Settings\Gordon\Application Data\winscp.rnd
2008-05-01 19:43:49 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-27 17:38:26 0 d-------- C:\Program Files\Common Files\Scanner
2008-04-26 23:41:06 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-17 19:34:02 0 d-------- C:\Program Files\Common Files
2008-04-15 19:28:38 91712 --a------ C:\WINDOWS\system32\ymsjosor.dll
2008-04-15 19:22:39 96320 --a------ C:\WINDOWS\system32\sbconogy.dll
2008-04-15 19:20:03 53312 --a------ C:\WINDOWS\system32\rsmqfrcy.dll
2008-04-14 21:58:25 0 d-------- C:\Program Files\Ricochet Xtreme
2008-04-14 21:55:35 0 d-------- C:\Program Files\GamesBar
2008-04-14 18:34:06 0 d-------- C:\Program Files\Extra DVD to iPhone Ripper
2008-04-14 18:32:47 0 d-------- C:\Documents and Settings\Gordon\Application Data\UseNeXT
2008-04-14 18:18:14 0 d-------- C:\Program Files\UseNeXT
2008-04-14 11:32:04 0 d-------- C:\Program Files\Digiters DVD to iPhone Converter
2008-04-14 11:11:37 0 d-------- C:\Program Files\Nidesoft DVD to iPhone Converter v3.0
2008-04-14 10:54:07 0 d-------- C:\Documents and Settings\Gordon\Application Data\dvdcss
2008-04-14 10:52:02 0 d-------- C:\Program Files\Cucusoft
2008-04-14 10:51:47 0 d-------- C:\Program Files\Common Files\Download Manager
2008-04-14 00:39:29 272896 --a------ C:\WINDOWS\system32\byXOiFWo.dll
2008-04-14 00:34:22 37376 --a------ C:\WINDOWS\system32\nnnNGXOF.dll
2008-04-14 00:34:08 0 d-------- C:\Documents and Settings\Gordon\Application Data\WinRAR
2008-04-14 00:04:19 0 d-------- C:\Program Files\Aniosoft iTouch iPhone Music Movie Backup
2008-04-14 00:03:25 0 d-------- C:\Program Files\Avex
2008-04-13 23:24:43 0 d-------- C:\Program Files\Common Files\PQDVD
2008-04-13 23:24:38 0 d-------- C:\Program Files\PQDVD
2008-04-13 22:38:08 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-13 16:53:44 0 d-------- C:\Program Files\MP3 Player Utilities
2008-04-04 22:04:58 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-04 22:04:53 0 d-------- C:\Program Files\Common Files\Real
2008-03-08 21:39:18 278528 --a------ C:\WINDOWS\system32\livesnth.dll <Not Verified; LiveUpdate; LiveSynth>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]
16/05/2008 17:06 53312 --a------ C:\WINDOWS\system32\qajsovfl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8103c4a8-72ea-4d13-9198-94c91989a62a}]
16/05/2008 17:21 102464 --a------ C:\WINDOWS\system32\gcbdqulg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4D13F30-55A5-49BB-8B90-2A71EA9673A9}]
14/04/2008 00:34 37376 --a------ C:\WINDOWS\system32\nnnNGXOF.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5AA4BEF-D7B7-4D57-9614-65CA882056DB}]
14/04/2008 00:39 272896 --a------ C:\WINDOWS\system32\byXOiFWo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [06/08/2005 05:56]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [04/05/2006 06:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 02:11]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [23/03/2006 13:17]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [23/03/2006 13:13]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [23/03/2006 13:17]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [02/06/2006 16:02 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [17/06/2006 06:22]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [23/06/2006 14:43]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [06/09/2007 14:46]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [19/06/2006 10:50]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [11/10/2005 10:23]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [24/11/2006 01:06]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [05/09/2007 15:10]
"-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [05/09/2007 15:10]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [07/08/2007 19:49]
"HP Software Update"="c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [17/02/2005 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/12/2007 11:56]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/12/2007 13:10]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 19:20]
"415a9d4c"="C:\WINDOWS\system32\foqiakmo.dll" [16/05/2008 17:15]
"BM4269aed0"="C:\WINDOWS\system32\aeldbvok.dll" [16/05/2008 17:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [16/03/2006 05:00]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [23/04/2004 15:28]
"WirelessAudioUtility"="C:\Program Files\AzureWave\Wireless Audio\WirelessAudioUtility.exe" [29/05/2007 17:47]
"RouterToolbox"="C:\Program Files\AzureWave\Router Toolbox\RouterToolbox.exe" [31/07/2007 19:29]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [09/02/2008 14:02]
"@"="" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [07/12/2007 10:42:03]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [24/09/2005 17:39:30]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [02/06/2006 04:29:26]
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [09/07/2007 23:24:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A4D13F30-55A5-49BB-8B90-2A71EA9673A9}"= C:\WINDOWS\system32\nnnNGXOF.dll [14/04/2008 00:34 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnNGXOF]
nnnNGXOF.dll 14/04/2008 00:34 37376 C:\WINDOWS\system32\nnnNGXOF.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXOiFWo

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8e3a86f-8302-11db-ae0b-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480




-- End of Deckard's System Scanner: finished at 2008-05-16 20:47:15 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® M CPU 420 @ 1.60GHz
Percentage of Memory in Use: 68%
Physical Memory (total/avail): 1014.05 MiB / 315.56 MiB
Pagefile Memory (total/avail): 3963.9 MiB / 3268.19 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1910.39 MiB

C: is Fixed (NTFS) - 66.78 GiB total, 28.97 GiB free.
D: is Fixed (FAT32) - 7.73 GiB total, 0.85 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHV2080BH PL - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 66.78 GiB - C:
\PARTITION1 - Unknown - 7.74 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: PCguard Firewall v6.0.1 (Telewest)
AV: PCguard Anti-Virus v6.0.1 (Telewest)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"="C:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe:*:Enabled:Sid Meier's Railroads!"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\g3torrent\\g3torrent.exe"="C:\\Program Files\\g3torrent\\g3torrent.exe:*:Enabled:g3torrent"
"C:\\Program Files\\AzureWave\\Wireless Audio\\WirelessAudioUtility.exe"="C:\\Program Files\\AzureWave\\Wireless Audio\\WirelessAudioUtility.exe:*:Enabled:WirelessAudioUtility"
"C:\\Program Files\\AzureWave\\Wireless Audio\\NewWizard.exe"="C:\\Program Files\\AzureWave\\Wireless Audio\\NewWizard.exe:*:Enabled:NewWizard"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"="C:\\Program Files\\Pando Networks\\Pando\\pando.exe:*:Enabled:Pando Application"
"C:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"="C:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"="C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\Orb Networks\\Orb\\bin\\xmltv.exe"="C:\\Program Files\\Orb Networks\\Orb\\bin\\xmltv.exe:*:Enabled:OrbTVGuide"
"C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbChannelScan.exe"="C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbChannelScan.exe:*:Enabled:OrbChannelScan"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Gordon\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SANDY
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA8
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Gordon
LOGONSERVER=\\SANDY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\CA\PPRT\bin;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PCTYPE=PRESARIO
PLATFORM=MCD
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Gordon\LOCALS~1\Temp
TMP=C:\DOCUME~1\Gordon\LOCALS~1\Temp
USERDOMAIN=SANDY
USERNAME=Gordon
USERPROFILE=C:\Documents and Settings\Gordon
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Carolyn (admin)
Samantha (admin)
Gordon (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{939F8208-C8CE-4AFF-B7BA-ACEB2E74A6CB}\Setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.57 --> "C:\Program Files\7-Zip\Uninstall.exe"
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ArcSoft Software Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F7BB0F7-E782-4086-BD9E-762204239605}\setup.exe" -l0x9
Art Attack --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{526294AE-4192-4A19-9BF0-66CE5631C757}\setup.exe" -l0x9 -removeonly
Authentium AntiVirus SDK - 2 --> MsiExec.exe /I{1ACE3F9D-CDA4-4F39-9605-334CF37A1579}
AzureWave Wireless Audio --> C:\Program Files\InstallShield Installation Information\{295F4C3D-F1B8-4F2C-AD8C-01B23E79BB96}\setup.exe -runfromtemp -l0x0009 -removeonly
BBC iPlayer Download Manager --> MsiExec.exe /I {D466F3D9-510C-4729-B7D4-2E70490E4CDF}
BitTorrent --> "C:\Program Files\BitTorrent\BitTorrent.exe" /UNINSTALL
Bonjour --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E0A96F36-D546-4A2A-BDAA-2A2A578B2C0D} /l1033
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Conexant HD Audio --> C:\Program Files\CONEXANT\CNXT_HDAUDIO\HXFSETUP.EXE -U -ICPL30A5a.INF
Customer Experience Enhancement --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{23012310-3E05-46A5-88A9-C6CBCABCAC79} /l1033
Easy Internet Sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033
EAX Unified --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\EAX Unified\Uninst.isu"
ESPNMotion --> C:\PROGRA~1\ESPNMO~1\UNWISE.EXE /u C:\PROGRA~1\ESPNMO~1\INSTALL.LOG
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC --> MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt --> MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
essvcpt --> MsiExec.exe /I{D1973749-F5E7-40EB-B528-F2B78685B9FF}
Extra DVD to iPhone Ripper 5.0 --> "C:\Program Files\Extra DVD to iPhone Ripper\unins000.exe"
Football Manager 2007 --> C:\Program Files\Sports Interactive\Football Manager 2007\uninstall\Uninstall FM 2007.exe
Froggies --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3E83A55D-AD04-4761-BD50-61FF7330621B}\setup.exe" -l0x9
GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Photos Screensaver --> MsiExec.exe /X{481E9852-DA0C-403B-ADA4-05D86C8BF9A9}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Google Web Accelerator --> MsiExec.exe /X{6A1975EB-27E6-491D-94BC-6355FA25F40F}
HDAUDIO Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_CPL30A5m\HXFSETUP.EXE -U -ICPL30A5m.inf
HijackThis 2.0.2 --> "C:\HJT\HijackThis.exe" /uninstall
HLPPDOCK --> MsiExec.exe /I{154508C0-07C5-4659-A7A0-E49968750D21}
Hooligans - Storm over Europe --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B89933C8-E38D-44BE-B3DB-96657D11338F}\setup.exe"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP DVD Play 2.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\setup.exe" -uninstall
HP Help and Support --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}\Setup.exe" -l0x9 -removeonly
HP Imaging Device Functions 6.0 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Premier Software 6.0 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Quick Launch Buttons 6.30 D2 --> C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\Setup.exe -runfromtemp -l0x0009 -removeonly uninst
HP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
HP User Guides--System Recovery --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BC96BBA7-C634-460E-AD18-A0A994213F80}\Setup.exe" -l0x9 -removeonly
HP User Guides 0037 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{552E6DA4-A0F9-41AC-8473-E825D60674EA}\setup.exe" -l0x9 -removeonly
HP Wireless Assistant 2.00 G2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\setup.exe" -l0x9 hpquninst
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
iPhoneBrowser --> MsiExec.exe /I{A0F7CEAC-8F77-4936-8DDD-0AD4028A5486}
iTunes --> MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Jojo 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{452B9FC2-5ECD-439A-A1FB-3296EFDBBF4A}\setup.exe"
Jojo in Numberland --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{90910721-010B-11D6-854E-00105A9FAA9F}\setup.exe"
Jump Ahead 2000 Year 2 v1.0 --> C:\WINDOWS\uninst.exe -fC:\KA\2G\DeIsL1.isu
kgcbaby --> MsiExec.exe /I{E18B549C-5D15-45DA-8D8F-8FD2BD946344}
kgcbase --> MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
kgchday --> MsiExec.exe /I{11F3F858-4131-4FFA-A560-3FE282933B6E}
kgchlwn --> MsiExec.exe /I{03EDED24-8375-407D-A721-4643D9768BE1}
kgcinvt --> MsiExec.exe /I{9BD54685-1496-46A5-AB62-357CD140ED8B}
kgckids --> MsiExec.exe /I{693C08A7-9E76-43FF-B11E-9A58175474C4}
kgcmove --> MsiExec.exe /I{A1588373-1D86-4D44-86C9-78ABD190F9CC}
kgcvday --> MsiExec.exe /I{8A8664E1-84C8-4936-891C-BC1F07797549}
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140010_1b4022\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Logitech Gaming Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B9242864-2841-4ADE-86E0-8F90F91B04DD}\setup.exe" -l0x9
Macromedia Flash Player 8 --> MsiExec.exe /X{6815FCDD-401D-481E-BA88-31B4754C2B46}
Macromedia Shockwave Player --> MsiExec.exe /X{838A1BC9-95CA-4880-9BE3-2A7D23600A2B}
Mafia Game --> C:\WINDOWS\system32\MafiaSetup.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Games for Windows - LIVE Redistributable --> MsiExec.exe /X{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office PowerPoint Viewer 2007 (English) --> MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MP3 Player Utilities --> MsiExec.exe /I{5BBFB0E4-2250-49C3-A8A3-65BE2197D13B}
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK --> MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
Pando --> MsiExec.exe /I{C0B0FA55-D4E9-4374-9871-BBFBF2AEF0D1}
PerfectDisk --> MsiExec.exe /I{212F5777-1190-4DEF-8E4D-6B2F313B45E7}
PKR --> "C:\Program Files\PKR\uninstall-pkr.exe"
PPSDKRedistributables --> MsiExec.exe /I{C869F4FF-E5FF-4FBB-9A31-33C23605E170}
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
QuickTime 3.0 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\QuickTime\DeIsL3.isu" -c"C:\WINDOWS\system32\QTUninst.dll
Radialpoint Security Services --> MsiExec.exe /X{5DFDEAAA-E050-482E-A5B6-138CAE53F7BF}
RealArcade --> C:\Program Files\Real\RealArcade\Update\rnuninst.exe RealNetworks|RealArcade|1.2
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
REALTEK GbE & FE Ethernet PCI NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}\setup.exe" -l0x9 -removeonly
Rhapsody Player Engine --> MsiExec.exe /I{8A62A068-3FD6-495A-9F66-26FE94F32EC9}
Router Toolbox --> C:\Program Files\InstallShield Installation Information\{BF20C723-3961-43B3-876D-CEE0C3A034EA}\setup.exe -runfromtemp -l0x0009 -removeonly
RPS Ad Blocker --> MsiExec.exe /I{6EA0ABC4-172B-48D4-AF26-93322D7FDE72}
RPS AntiFraud --> MsiExec.exe /I{C831972C-3834-4D9D-A095-8350B324AC3C}
RPS AntiSpyware --> MsiExec.exe /I{EE1D5780-AF29-4DC4-A107-3FD5F79AC63A}
RPS AntiVirus --> MsiExec.exe /I{05BCCF27-DC23-4ED9-87A2-F8D5B244B4C4}
RPS App Detector --> MsiExec.exe /I{3C441434-737C-4D54-8EAB-B409BE54E734}
RPS AsRealtime --> MsiExec.exe /I{D8AEA1D1-78FE-4CE1-9405-D7E55E797C4D}
RPS Backup --> MsiExec.exe /I{B5C0FD16-3A5D-40D5-8B59-4B43279BB5D0}
RPS Burn --> MsiExec.exe /I{A542D695-16D3-4F89-A6F1-091F009B8ABA}
RPS Diagnostic Utility --> MsiExec.exe /I{3A836186-46F8-4388-9830-820E35C02992}
RPS Firewall --> MsiExec.exe /I{ECBDDBD7-43CC-417C-B87A-943AFED8EB57}
RPS ParentalControl --> MsiExec.exe /I{53C32728-D434-4143-9C9D-D73D68D00893}
RPS Performance Tool --> MsiExec.exe /I{DD1C392B-226D-42C9-B8E6-2A9BEF7583B4}
RPS PopupBlocker --> MsiExec.exe /I{324D4909-7A7B-45CD-B199-E975DC108249}
RPS Privacy Manager --> MsiExec.exe /I{FD2EC356-DB5E-40AE-907A-9A1D38F9396D}
RPS RpsCore --> MsiExec.exe /I{AFE0D559-DAC2-4DF0-B432-4CBA15769AA9}
RPS Security Cleanup --> MsiExec.exe /I{5E7EBB6D-F44B-4D8B-9C52-F0F9173FD166}
RPS Zip --> MsiExec.exe /I{3AFF4279-A590-4010-8C8A-3B096A220CFC}
SC System Tuner 3.2.0.0 --> "C:\Program Files\SoftwareClub.ws\System Tuner\unins000.exe"
Screensavers Installer Version 2 --> "C:\Program Files\Screensavers.com\SSSInst\bin\SSSUninst.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
Sheep --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A7C7A5B1-5AF3-11D1-9CED-00A024BF0407}\setup.exe"
Sid Meier's Railroads! --> C:\Program Files\InstallShield Installation Information\{EE3FBD3C-782E-4A90-9507-0ECFE1FECCE4}\setup.exe -runfromtemp -l0x0009 -removeonly
SKIN0001 --> MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
SmartAudio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AEF7A12C-CD9B-4773-8AD1-6916138CA7EA}\setup.exe" -l0x9 -removeonly -S
Sonic Audio Module --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic Copy Module --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic Data Module --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
SonicAC3Encoder --> MsiExec.exe /I{52FBAE98-D389-4281-8C14-21B4046CCB4E}
SonicMPEGEncoder --> MsiExec.exe /I{B16AF568-A644-483C-A6DA-5028CD019C8C}
Sony Ericsson PC Suite --> MsiExec.exe /I{FC906D5C-91F9-4DA4-A765-6DCBB669F317}
staticcr --> MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
STK014 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7C401C6-B490-4C92-9E6D-F6A862A27B65}\Setup.exe" -l0x9
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
The Incredibles --> MsiExec.exe /X{098F0462-A6D9-4FB4-87B0-0F46BF0E7EFB}
Traffic Jammer Deluxe (remove only) --> "C:\Program Files\Crystal Squid\Traffic Jammer Deluxe\uninstall.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005 -->
UseNeXT --> "C:\Program Files\UseNeXT\unins000.exe"
Virgin Broadband advisor 1.5.14 --> "C:\Program Files\Virgin Broadband\advisor\unins000.exe"
Virgin Broadband PCguard --> C:\Program Files\InstallShield Installation Information\{153BC7CA-9F2F-45AC-B4A1-AFAFBD5D904B}\setup.exe -runfromtemp -l0x0009 -removeonly
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
WildTangent Web Driver --> C:\WINDOWS\wt\updater\wcmdmgr.exe -uninstall wtwebdriver
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinSCP 4.1 beta --> "C:\Program Files\WinSCP\unins000.exe"
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}


-- Application Event Log -------------------------------------------------------

Event Record #/Type11112 / Error
Event Submitted/Written: 05/16/2008 08:28:41 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module unknown, version 0.0.0.0, fault address 0x78002f00.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type11098 / Warning
Event Submitted/Written: 05/16/2008 07:13:15 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type11097 / Error
Event Submitted/Written: 05/16/2008 05:09:42 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module unknown, version 0.0.0.0, fault address 0x039f2000.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type11062 / Warning
Event Submitted/Written: 05/14/2008 02:47:31 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type11061 / Error
Event Submitted/Written: 05/14/2008 02:46:42 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module nss3.dll, version 3.11.5.0, fault address 0x000306df.
Processing media-specific event for [firefox.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type20833 / Error
Event Submitted/Written: 05/16/2008 08:47:14 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {222F1C6D-F430-4B76-B3F1-1FE92E214AD3} did not register with DCOM within the required timeout.

Event Record #/Type20832 / Warning
Event Submitted/Written: 05/16/2008 08:46:40 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%SANDY27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SANDY27 can't undo changes that you allow.

For more information please see the following:
%SANDY275

Scan ID: {74783772-4038-4F49-ADE5-9E5ED662783A}

User: SANDY\Gordon

Name: %SANDY271

ID: %SANDY272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SANDY276

Alert Type: %SANDY278

Detection Type: 1.1.1593.02

Event Record #/Type20831 / Warning
Event Submitted/Written: 05/16/2008 08:46:40 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%SANDY27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SANDY27 can't undo changes that you allow.

For more information please see the following:
%SANDY275

Scan ID: {F319DA6B-5BA4-4F9E-BE54-4DF2143A88D3}

User: SANDY\Gordon

Name: %SANDY271

ID: %SANDY272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SANDY276

Alert Type: %SANDY278

Detection Type: 1.1.1593.02

Event Record #/Type20830 / Warning
Event Submitted/Written: 05/16/2008 08:46:40 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%SANDY27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SANDY27 can't undo changes that you allow.

For more information please see the following:
%SANDY275

Scan ID: {443E333F-2932-4ADB-BE4B-633C897A8F07}

User: SANDY\Gordon

Name: %SANDY271

ID: %SANDY272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SANDY276

Alert Type: %SANDY278

Detection Type: 1.1.1593.02

Event Record #/Type20829 / Warning
Event Submitted/Written: 05/16/2008 08:46:37 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%SANDY27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SANDY27 can't undo changes that you allow.

For more information please see the following:
%SANDY275

Scan ID: {3D60FBE8-CD91-47FD-9661-4D65C4B4B217}

User: SANDY\Gordon

Name: %SANDY271

ID: %SANDY272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SANDY276

Alert Type: %SANDY278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-05-16 20:47:15 ------------

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:58 PM

Posted 19 May 2008 - 07:18 AM

Hello Sharpy1977 and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 sharpy1977

sharpy1977
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 19 May 2008 - 01:58 PM

Hi Thunder

Thanks for this help. I am very grateful.

After i ran mbam and the computer restarted there was a message saying that C:\Windows\System32\wqisfxet.dll could not run. Just thought id let you know this.

The HJT log was ran last so i hope this is ok!

Thanks once again

Below are the 3 logs you asked for:

Malwarebytes' Anti-Malware 1.12
Database version: 768

Scan type: Quick Scan
Objects scanned: 43763
Time elapsed: 9 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 19
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 35

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\utxxahpp.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4d13f30-55a5-49bb-8b90-2a71ea9673a9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a4d13f30-55a5-49bb-8b90-2a71ea9673a9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{1962c5bc-e475-465b-823b-133e711bceb9} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\415a9d4c (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a4d13f30-55a5-49bb-8b90-2a71ea9673a9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{1962c5bc-e475-465b-823b-133e711bceb9} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM4269aed0 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\bin (Adware.Comet) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\begavdmw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wmdvageb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\foqiakmo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\omkaiqof.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fwgoqcrt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\trcqogwf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hfxfwahu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uhawfxfh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hijjicjg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gjcijjih.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lfclqoxv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vxoqlcfl.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lseqruam.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\maurqesl.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tbsprvju.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ujvrpsbt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\utxxahpp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\pphaxxtu.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\actnbjal.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bsedyehr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hryxqhri.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mnqrqpsu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nlxoqgsl.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oagwxwfg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oyuiosqv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pkhxdmdo.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rkdwtrtx.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sbconogy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sqlemfaj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wmxebfjv.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wtiyvfmo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wtresqkx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ymsjosor.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\bin\SSSUninst.exe (Adware.Comet) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wqisfxet.dll (Trojan.Agent) -> Delete on reboot.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:52:48, on 19/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\AzureWave\Wireless Audio\WirelessAudioUtility.exe
C:\Program Files\AzureWave\Router Toolbox\RouterToolbox.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Virgin Broadband\PCguard\PrtlAgt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9F06FBBD-C5C5-41C4-BDDD-1F055F18E2FB} - C:\WINDOWS\system32\byXOiFWo.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [WirelessAudioUtility] "C:\Program Files\AzureWave\Wireless Audio\WirelessAudioUtility.exe" 1
O4 - HKCU\..\Run: [RouterToolbox] C:\Program Files\AzureWave\Router Toolbox\RouterToolbox.exe /autoRun
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: STK014 PNP Monitor.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=presario&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195075508687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196621928890
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O20 - Winlogon Notify: nnnNGXOF - nnnNGXOF.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe

--
End of file - 12517 bytes

ComboFix 08-05-15.3 - Gordon 2008-05-19 19:34:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.415 [GMT 1:00]
Running from: C:\Documents and Settings\Gordon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gordon\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aeldbvok.dll
C:\WINDOWS\system32\ahfptmxl.dll
C:\WINDOWS\system32\bxumniqg.dll
C:\WINDOWS\system32\chvhochk.ini
C:\WINDOWS\system32\cikigrch.ini
C:\WINDOWS\system32\drmbgyew.dll
C:\WINDOWS\system32\gcbdqulg.dll
C:\WINDOWS\system32\gwuevthj.dll
C:\WINDOWS\system32\jgektkjh.dll
C:\WINDOWS\system32\kdoadmpy.dll
C:\WINDOWS\system32\kxruogtb.ini
C:\WINDOWS\system32\lhtrwhpm.ini
C:\WINDOWS\system32\mahkliya.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nsivivyf.dll
C:\WINDOWS\system32\ocwukdfc.ini
C:\WINDOWS\system32\oidfvwqn.dll
C:\WINDOWS\system32\onenipvw.dll
C:\WINDOWS\system32\oWFiOXyb.ini
C:\WINDOWS\system32\oWFiOXyb.ini2
C:\WINDOWS\system32\qsnxjglo.dll
C:\WINDOWS\system32\qwjxkmbw.dll
C:\WINDOWS\system32\rnyormxa.dll
C:\WINDOWS\system32\rtewsngd.dll
C:\WINDOWS\system32\sdxmfanl.ini
C:\WINDOWS\system32\ssptjnst.dll
C:\WINDOWS\system32\tqnjhbva.dll
C:\WINDOWS\system32\uvrkqapk.dll
C:\WINDOWS\system32\uwcvpgbw.ini
C:\WINDOWS\system32\uwnffhbd.dll
C:\WINDOWS\system32\vewcynlx.dll
C:\WINDOWS\system32\whktpygx.dll
C:\WINDOWS\system32\yswfnuha.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.

2008-05-19 18:47 . 2008-05-19 18:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-19 18:47 . 2008-05-19 18:47 <DIR> d-------- C:\Documents and Settings\Gordon\Application Data\Malwarebytes
2008-05-19 18:47 . 2008-05-19 18:47 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-19 18:47 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-19 18:47 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-18 16:02 . 2008-05-18 16:02 206 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-17 17:16 . 2008-05-17 17:16 53,312 --a------ C:\WINDOWS\system32\cuflqcqt.dll
2008-05-16 20:42 . 2008-05-16 20:42 <DIR> d----c--- C:\Deckard
2008-05-16 17:06 . 2008-05-16 17:06 53,312 --a------ C:\WINDOWS\system32\qajsovfl.dll
2008-05-14 12:37 . 2008-05-14 12:37 53,312 --a------ C:\WINDOWS\system32\beagboys.dll
2008-05-11 21:55 . 2008-05-11 21:55 53,312 --a------ C:\WINDOWS\system32\ockgcnvh.dll
2008-05-10 21:57 . 2008-05-10 21:57 53,312 --a------ C:\WINDOWS\system32\hflcuepj.dll
2008-05-09 22:33 . 2008-05-09 22:48 <DIR> d-------- C:\Program Files\Orb Networks
2008-05-09 21:59 . 2008-05-10 22:00 2,094 ---hs---- C:\WINDOWS\system32\yghmvrnx.ini
2008-05-09 21:53 . 2008-05-09 21:53 53,312 --a------ C:\WINDOWS\system32\mpvftvug.dll
2008-05-08 21:23 . 2008-05-08 21:23 53,312 --a------ C:\WINDOWS\system32\bdqpbbgq.dll
2008-05-05 22:12 . 2008-05-05 22:12 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-05-05 22:09 . 2008-05-05 22:09 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-05-05 21:59 . 2008-05-05 21:59 53,312 --a------ C:\WINDOWS\system32\lqdnipqn.dll
2008-05-04 22:52 . 2008-05-04 22:52 <DIR> d-------- C:\Program Files\Pando Networks
2008-05-04 12:42 . 2008-05-04 12:42 53,312 --a------ C:\WINDOWS\system32\kkekrfip.dll
2008-05-02 21:59 . 2008-05-02 21:59 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Virgin Broadband
2008-05-02 21:36 . 2008-05-02 21:36 53,312 --a------ C:\WINDOWS\system32\sfpktrpu.dll
2008-05-01 20:23 . 2008-05-17 18:16 <DIR> d-------- C:\HJT
2008-05-01 18:51 . 2008-05-01 19:38 <DIR> d----c--- C:\VundoFix Backups
2008-05-01 18:11 . 2008-05-01 18:11 3,914 --a------ C:\WINDOWS\system32\xmsnorqr.dll
2008-05-01 18:10 . 2008-05-01 18:10 3,914 --a------ C:\WINDOWS\system32\fpubywpi.dll
2008-04-27 22:33 . 2008-04-27 22:33 53,312 --a------ C:\WINDOWS\system32\eiweuxme.dll
2008-04-27 21:59 . 2008-04-27 21:59 <DIR> d-------- C:\Program Files\iPhoneBrowser
2008-04-27 17:56 . 2008-04-27 18:17 <DIR> d-------- C:\Program Files\XoftSpySE
2008-04-27 11:09 . 2008-04-27 11:09 <DIR> d-------- C:\Program Files\7-Zip
2008-04-26 22:56 . 2008-04-26 22:56 <DIR> d-------- C:\Program Files\WinSCP
2008-04-26 22:29 . 2008-04-26 22:29 53,312 --a------ C:\WINDOWS\system32\ylbxkjcb.dll
2008-04-24 23:05 . 2008-04-24 23:05 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
2008-04-24 22:36 . 2008-04-24 22:36 <DIR> d-------- C:\Program Files\GlobalSCAPE
2008-04-24 21:54 . 2008-04-24 21:54 53,312 --a------ C:\WINDOWS\system32\gucxrnij.dll
2008-04-23 21:52 . 2008-04-23 21:52 53,312 --a------ C:\WINDOWS\system32\nodxnals.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-19 18:37 --------- dc----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-05-19 15:17 --------- dc----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-16 17:09 --------- d-----w C:\Documents and Settings\Gordon\Application Data\BitTorrent
2008-04-27 16:38 --------- d-----w C:\Program Files\Common Files\Scanner
2008-04-26 22:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 20:56 --------- d-----w C:\Program Files\SoftwareClub.ws
2008-04-17 18:43 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-17 18:38 --------- dc----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-17 18:36 --------- d-----w C:\Program Files\Lavasoft
2008-04-17 18:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-17 17:53 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-04-16 22:05 --------- d-----w C:\Program Files\Windows Defender
2008-04-16 21:56 --------- d-----w C:\Program Files\Microsoft Windows OneCare Live
2008-04-14 20:58 --------- d-----w C:\Program Files\Ricochet Xtreme
2008-04-14 20:55 --------- d-----w C:\Program Files\GamesBar
2008-04-14 17:34 --------- d-----w C:\Program Files\Extra DVD to iPhone Ripper
2008-04-14 17:32 --------- d-----w C:\Documents and Settings\Gordon\Application Data\UseNeXT
2008-04-14 17:18 --------- d-----w C:\Program Files\UseNeXT
2008-04-14 10:32 --------- d-----w C:\Program Files\Digiters DVD to iPhone Converter
2008-04-14 10:11 --------- d-----w C:\Program Files\Nidesoft DVD to iPhone Converter v3.0
2008-04-14 09:54 --------- d-----w C:\Documents and Settings\Gordon\Application Data\dvdcss
2008-04-14 09:52 --------- d-----w C:\Program Files\Cucusoft
2008-04-14 09:51 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-13 23:04 --------- d-----w C:\Program Files\Aniosoft iTouch iPhone Music Movie Backup
2008-04-13 23:03 --------- d-----w C:\Program Files\Avex
2008-04-13 22:24 --------- d-----w C:\Program Files\PQDVD
2008-04-13 22:24 --------- d-----w C:\Program Files\Common Files\PQDVD
2008-04-13 21:38 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-13 15:53 --------- d-----w C:\Program Files\MP3 Player Utilities
2008-04-04 21:04 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-04 21:04 --------- d-----w C:\Program Files\Common Files\Real
2008-02-11 22:32 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-08-03 18:59 1,392 ----a-w C:\Documents and Settings\Gordon\Application Data\wklnhst.dat
2007-01-05 14:11 138 ----a-w C:\Documents and Settings\Samantha\Application Data\wklnhst.dat
2006-12-03 20:16 0 ----a-w C:\Documents and Settings\Carolyn\Application Data\wklnhst.dat
2007-12-12 21:04 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F06FBBD-C5C5-41C4-BDDD-1F055F18E2FB}]
C:\WINDOWS\system32\byXOiFWo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-16 05:00 15360]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [2004-04-23 15:28 77824]
"WirelessAudioUtility"="C:\Program Files\AzureWave\Wireless Audio\WirelessAudioUtility.exe" [2007-05-29 17:47 1921024]
"RouterToolbox"="C:\Program Files\AzureWave\Router Toolbox\RouterToolbox.exe" [2007-07-31 19:29 360448]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2008-02-09 14:02 6051144]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe" [2007-09-05 15:09 61168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 05:56 64512]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 06:58 458752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 13:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 13:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 13:17 118784]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 16:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 06:22 794713]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-06-23 14:43 102400]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-06 14:46 202032]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 10:50 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 10:23 1187840]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 01:06 487424]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 15:10 310000]
"-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 15:10 13552]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 19:49 2061552]
"HP Software Update"="c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe" [2007-09-05 15:09 61168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-16 05:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-12-07 10:42:03 126136]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 17:39:30 73728]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 04:29:26 180224]
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 23:24:38 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnNGXOF]
nnnNGXOF.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AzureWave\\Wireless Audio\\WirelessAudioUtility.exe"=
"C:\\Program Files\\AzureWave\\Wireless Audio\\NewWizard.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"58141:TCP"= 58141:TCP:Pando P2P TCP Listening Port
"58141:UDP"= 58141:UDP:Pando P2P UDP Listening Port
"58107:TCP"= 58107:TCP:Pando P2P TCP Listening Port
"58107:UDP"= 58107:UDP:Pando P2P UDP Listening Port

R3 vsndcard;Wireless Audio Bridge;C:\WINDOWS\system32\drivers\vsndcard.sys [2006-06-05 16:58]
R3 vsndcard24;Wireless HD Audio Bridge;C:\WINDOWS\system32\drivers\vsndcard24.sys [2007-01-31 11:06]
S3 DCamUSBSTK014;STK014 Camera;C:\WINDOWS\system32\DRIVERS\STK014W2.sys [2003-07-15 12:25]
S3 oflpydin;oflpydin;C:\DOCUME~1\Gordon\LOCALS~1\Temp\oflpydin.sys []
S3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe [2006-03-16 05:00]
S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 14:58]
S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-11-30 14:58]
S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-11-30 14:58]
S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-11-30 14:58]
S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-11-30 14:58]
S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-11-30 14:58]
S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-11-30 14:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-03 10:51:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-19 18:25:05 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-05-19 18:43:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 19:40:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????\??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccClient.exe
C:\Program Files\Virgin Broadband\PCguard\PrtlAgt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2008-05-19 19:48:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-19 18:48:33

Pre-Run: 30,794,280,960 bytes free
Post-Run: 31,050,829,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

275 --- E O F --- 2008-05-18 15:02:00

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:58 PM

Posted 20 May 2008 - 04:06 AM

Hello Sharpy1977,

We'll need to clean up some more :thumbsup:

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/147220/infected-with-vundo-xf-and-darksma/
Collect::[9]
C:\WINDOWS\system32\cuflqcqt.dll
C:\WINDOWS\system32\qajsovfl.dll
C:\WINDOWS\system32\xmsnorqr.dll
C:\WINDOWS\system32\fpubywpi.dll
File::
C:\WINDOWS\system32\beagboys.dll
C:\WINDOWS\system32\ockgcnvh.dll
C:\WINDOWS\system32\hflcuepj.dll
C:\WINDOWS\system32\yghmvrnx.ini
C:\WINDOWS\system32\mpvftvug.dll
C:\WINDOWS\system32\bdqpbbgq.dll
C:\WINDOWS\system32\lqdnipqn.dll
C:\WINDOWS\system32\kkekrfip.dll
C:\WINDOWS\system32\sfpktrpu.dll
C:\WINDOWS\system32\eiweuxme.dll
C:\WINDOWS\system32\ylbxkjcb.dll
C:\WINDOWS\system32\gucxrnij.dll
C:\WINDOWS\system32\nodxnals.dll
Folder::
C:\VundoFix Backups
Driver::
oflpydin
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F06FBBD-C5C5-41C4-BDDD-1F055F18E2FB}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnNGXOF]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

When CF finishes running, the ComboFix log will open along with a message box, --do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file [9]-Submit_Date_Time.zip.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u6.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windowsi586-p.exe to install the newest version.
Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 sharpy1977

sharpy1977
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 20 May 2008 - 08:22 AM

Hi again

I have not received any ads appear since i began following your instructions yesterday and i am even using IE to send this reply.

Below are the reports you wanted from CF and HJT.

Thanks once again

ComboFix 08-05-15.3 - Gordon 2008-05-20 13:24:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.444 [GMT 1:00]
Running from: C:\Documents and Settings\Gordon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gordon\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\system32\bdqpbbgq.dll
C:\WINDOWS\system32\beagboys.dll
C:\WINDOWS\system32\eiweuxme.dll
C:\WINDOWS\system32\gucxrnij.dll
C:\WINDOWS\system32\hflcuepj.dll
C:\WINDOWS\system32\kkekrfip.dll
C:\WINDOWS\system32\lqdnipqn.dll
C:\WINDOWS\system32\mpvftvug.dll
C:\WINDOWS\system32\nodxnals.dll
C:\WINDOWS\system32\ockgcnvh.dll
C:\WINDOWS\system32\sfpktrpu.dll
C:\WINDOWS\system32\yghmvrnx.ini
C:\WINDOWS\system32\ylbxkjcb.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\actnbjal.dll.bad
C:\VundoFix Backups\mlxtmtgy.dll.bad
C:\WINDOWS\system32\bdqpbbgq.dll
C:\WINDOWS\system32\beagboys.dll
C:\WINDOWS\system32\cuflqcqt.dll
C:\WINDOWS\system32\eiweuxme.dll
C:\WINDOWS\system32\fpubywpi.dll
C:\WINDOWS\system32\gucxrnij.dll
C:\WINDOWS\system32\hflcuepj.dll
C:\WINDOWS\system32\kkekrfip.dll
C:\WINDOWS\system32\lqdnipqn.dll
C:\WINDOWS\system32\mpvftvug.dll
C:\WINDOWS\system32\nodxnals.dll
C:\WINDOWS\system32\ockgcnvh.dll
C:\WINDOWS\system32\qajsovfl.dll
C:\WINDOWS\system32\sfpktrpu.dll
C:\WINDOWS\system32\xmsnorqr.dll
C:\WINDOWS\system32\yghmvrnx.ini
C:\WINDOWS\system32\ylbxkjcb.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OFLPYDIN
-------\Service_oflpydin


((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-19 18:47 . 2008-05-19 18:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-19 18:47 . 2008-05-19 18:47 <DIR> d-------- C:\Documents and Settings\Gordon\Application Data\Malwarebytes
2008-05-19 18:47 . 2008-05-19 18:47 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-19 18:47 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-19 18:47 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-18 16:02 . 2008-05-18 16:02 206 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-16 20:42 . 2008-05-16 20:42 <DIR> d----c--- C:\Deckard
2008-05-09 22:33 . 2008-05-09 22:48 <DIR> d-------- C:\Program Files\Orb Networks
2008-05-05 22:12 . 2008-05-05 22:12 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-05-05 22:09 . 2008-05-05 22:09 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-05-04 22:52 . 2008-05-04 22:52 <DIR> d-------- C:\Program Files\Pando Networks
2008-05-02 21:59 . 2008-05-02 21:59 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Virgin Broadband
2008-05-01 20:23 . 2008-05-19 19:52 <DIR> d-------- C:\HJT
2008-04-27 21:59 . 2008-04-27 21:59 <DIR> d-------- C:\Program Files\iPhoneBrowser
2008-04-27 17:56 . 2008-04-27 18:17 <DIR> d-------- C:\Program Files\XoftSpySE
2008-04-27 11:09 . 2008-04-27 11:09 <DIR> d-------- C:\Program Files\7-Zip
2008-04-26 22:56 . 2008-04-26 22:56 <DIR> d-------- C:\Program Files\WinSCP
2008-04-24 23:05 . 2008-04-24 23:05 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
2008-04-24 22:36 . 2008-04-24 22:36 <DIR> d-------- C:\Program Files\GlobalSCAPE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 12:27 --------- dc----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-05-19 15:17 --------- dc----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-16 17:09 --------- d-----w C:\Documents and Settings\Gordon\Application Data\BitTorrent
2008-04-27 16:38 --------- d-----w C:\Program Files\Common Files\Scanner
2008-04-26 22:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 20:56 --------- d-----w C:\Program Files\SoftwareClub.ws
2008-04-17 18:43 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-17 18:38 --------- dc----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-17 18:36 --------- d-----w C:\Program Files\Lavasoft
2008-04-17 18:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-17 17:53 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-04-16 22:05 --------- d-----w C:\Program Files\Windows Defender
2008-04-16 21:56 --------- d-----w C:\Program Files\Microsoft Windows OneCare Live
2008-04-14 20:58 --------- d-----w C:\Program Files\Ricochet Xtreme
2008-04-14 20:55 --------- d-----w C:\Program Files\GamesBar
2008-04-14 17:34 --------- d-----w C:\Program Files\Extra DVD to iPhone Ripper
2008-04-14 17:32 --------- d-----w C:\Documents and Settings\Gordon\Application Data\UseNeXT
2008-04-14 17:18 --------- d-----w C:\Program Files\UseNeXT
2008-04-14 10:32 --------- d-----w C:\Program Files\Digiters DVD to iPhone Converter
2008-04-14 10:11 --------- d-----w C:\Program Files\Nidesoft DVD to iPhone Converter v3.0
2008-04-14 09:54 --------- d-----w C:\Documents and Settings\Gordon\Application Data\dvdcss
2008-04-14 09:52 --------- d-----w C:\Program Files\Cucusoft
2008-04-14 09:51 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-13 23:04 --------- d-----w C:\Program Files\Aniosoft iTouch iPhone Music Movie Backup
2008-04-13 23:03 --------- d-----w C:\Program Files\Avex
2008-04-13 22:24 --------- d-----w C:\Program Files\PQDVD
2008-04-13 22:24 --------- d-----w C:\Program Files\Common Files\PQDVD
2008-04-13 21:38 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-13 15:53 --------- d-----w C:\Program Files\MP3 Player Utilities
2008-04-04 21:04 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-04 21:04 --------- d-----w C:\Program Files\Common Files\Real
2008-02-11 22:32 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-08-03 18:59 1,392 ----a-w C:\Documents and Settings\Gordon\Application Data\wklnhst.dat
2007-01-05 14:11 138 ----a-w C:\Documents and Settings\Samantha\Application Data\wklnhst.dat
2006-12-03 20:16 0 ----a-w C:\Documents and Settings\Carolyn\Application Data\wklnhst.dat
2007-12-12 21:04 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-19_19.48.15.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-19 18:39:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 12:29:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 12:34:10 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_c14.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-16 05:00 15360]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [2004-04-23 15:28 77824]
"WirelessAudioUtility"="C:\Program Files\AzureWave\Wireless Audio\WirelessAudioUtility.exe" [2007-05-29 17:47 1921024]
"RouterToolbox"="C:\Program Files\AzureWave\Router Toolbox\RouterToolbox.exe" [2007-07-31 19:29 360448]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2008-02-09 14:02 6051144]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe" [2007-09-05 15:09 61168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 05:56 64512]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 06:58 458752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 13:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 13:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 13:17 118784]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 16:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 06:22 794713]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-06-23 14:43 102400]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-06 14:46 202032]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 10:50 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 10:23 1187840]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 01:06 487424]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 15:10 310000]
"-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 15:10 13552]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 19:49 2061552]
"HP Software Update"="c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe" [2007-09-05 15:09 61168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-16 05:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-12-07 10:42:03 126136]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 17:39:30 73728]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 04:29:26 180224]
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 23:24:38 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AzureWave\\Wireless Audio\\WirelessAudioUtility.exe"=
"C:\\Program Files\\AzureWave\\Wireless Audio\\NewWizard.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"58141:TCP"= 58141:TCP:Pando P2P TCP Listening Port
"58141:UDP"= 58141:UDP:Pando P2P UDP Listening Port
"58107:TCP"= 58107:TCP:Pando P2P TCP Listening Port
"58107:UDP"= 58107:UDP:Pando P2P UDP Listening Port

R3 vsndcard;Wireless Audio Bridge;C:\WINDOWS\system32\drivers\vsndcard.sys [2006-06-05 16:58]
R3 vsndcard24;Wireless HD Audio Bridge;C:\WINDOWS\system32\drivers\vsndcard24.sys [2007-01-31 11:06]
S3 DCamUSBSTK014;STK014 Camera;C:\WINDOWS\system32\DRIVERS\STK014W2.sys [2003-07-15 12:25]
S3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe [2006-03-16 05:00]
S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 14:58]
S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-11-30 14:58]
S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-11-30 14:58]
S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-11-30 14:58]
S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-11-30 14:58]
S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-11-30 14:58]
S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-11-30 14:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-03 10:51:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-20 12:25:06 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-05-20 12:33:26 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 13:30:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????\??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterr.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccClient.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Virgin Broadband\PCguard\PrtlAgt.exe
.
**************************************************************************
.
Completion time: 2008-05-20 13:38:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-20 12:38:13
ComboFix2.txt 2008-05-19 18:48:48

Pre-Run: 31,015,239,680 bytes free
Post-Run: 31,008,083,968 bytes free

253 --- E O F --- 2008-05-18 15:02:00

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:15:55, on 20/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\AzureWave\Wireless Audio\WirelessAudioUtility.exe
C:\Program Files\AzureWave\Router Toolbox\RouterToolbox.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\PrtlAgt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [WirelessAudioUtility] "C:\Program Files\AzureWave\Wireless Audio\WirelessAudioUtility.exe" 1
O4 - HKCU\..\Run: [RouterToolbox] C:\Program Files\AzureWave\Router Toolbox\RouterToolbox.exe /autoRun
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: STK014 PNP Monitor.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=presario&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195075508687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196621928890
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe

--
End of file - 12288 bytes

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:58 PM

Posted 20 May 2008 - 05:27 PM

Looks good, Sharpy1977 :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 sharpy1977

sharpy1977
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 21 May 2008 - 12:55 PM

thats fantastic

thank you for all your help

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:58 PM

Posted 21 May 2008 - 04:15 PM

Glad we could help, Sharpy1977 :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users