Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A Whole Array Of Malware And Viruses


  • This topic is locked This topic is locked
11 replies to this topic

#1 mercurion

mercurion

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 17 May 2008 - 12:00 PM

Hi, I have suddenly been hit by a whole array of malware and viruses. I'm unsure which are the ones that bundled itself up together but I am sure that I have Virtumonde and yaypalassamovala malware.

The following is my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:29 AM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
d:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Creative\Input Devices\MOUSE\CTPoint.exe
C:\Program Files\Creative\Input Devices\Keyboard\CTType.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
D:\Program Files\Mozilla Firefox\firefox.exe
d:\Program Files\Funcom\Age of Conan\ConanPatcher.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Creative Mouse Software] C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
O4 - HKLM\..\Run: [Creative Mouse Software 1] C:\Program Files\Creative\Input Devices\MOUSE\CTPoint.exe
O4 - HKLM\..\Run: [Creative Keyboard Software] C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
O4 - HKLM\..\Run: [Creative Keyboard Software 1] C:\Program Files\Creative\Input Devices\Keyboard\CTType.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [LiveUpdate] "C:\Program Files\Samsung\Samsung PC Studio 3\\Update\Copyer.exe" -R
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [BMaf5aa614] Rundll32.exe "C:\WINDOWS\system32\ddkgypmj.dll",s
O4 - HKLM\..\Run: [ac699588] rundll32.exe "C:\WINDOWS\system32\wkhmfokp.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NudgeMania] C:\Program Files\NudgeMania\NudgeMania.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Internet Download Accelerator] d:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\mambodin\Application Data\Mozilla\Firefox\Profiles\9868ho1j.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\mambodin\Application Data\Mozilla\Firefox\Profiles/9868ho1j.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - D:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - D:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://fishingchamp.gamescampus.com/luncher/GamesCampus.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 14420 bytes

BC AdBot (Login to Remove)

 


#2 mercurion

mercurion
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 17 May 2008 - 12:54 PM

I did another scan using DSS
Here it is

Deckard's System Scanner v20071014.68
Run by mambodin on 2008-05-18 01:46:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-05-17 17:46:52 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2008-05-17 16:36:57 UTC - RP2 - Last known good configuration
1: 2008-05-17 16:36:48 UTC - RP1 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as mambodin.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:49:41 AM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
d:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Creative\Input Devices\MOUSE\CTPoint.exe
C:\Program Files\Creative\Input Devices\Keyboard\CTType.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\mambodin\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\mambodin.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16ED5C1F-E076-4200-AE4A-264368F1D753} - C:\WINDOWS\system32\pmnlmliI.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5D6881D8-ED1E-4F7A-B1D0-5A141A34A1D3} - C:\WINDOWS\system32\xxywWqrP.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {806AE000-BFC6-41E2-B1E9-BA32DE9FF5CE} - C:\WINDOWS\system32\cbXPfCss.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {DA6167B9-61A5-4EEB-882E-A0A43232C038} - C:\WINDOWS\system32\cbXQhGYs.dll (file missing)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: (no name) - {F1B2B165-FBF2-4EB3-98FF-9CF5506062B5} - C:\WINDOWS\system32\jkkijJAs.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Creative Mouse Software] C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
O4 - HKLM\..\Run: [Creative Mouse Software 1] C:\Program Files\Creative\Input Devices\MOUSE\CTPoint.exe
O4 - HKLM\..\Run: [Creative Keyboard Software] C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
O4 - HKLM\..\Run: [Creative Keyboard Software 1] C:\Program Files\Creative\Input Devices\Keyboard\CTType.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [LiveUpdate] "C:\Program Files\Samsung\Samsung PC Studio 3\\Update\Copyer.exe" -R
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [BMaf5aa614] Rundll32.exe "C:\WINDOWS\system32\ddkgypmj.dll",s
O4 - HKLM\..\Run: [ac699588] rundll32.exe "C:\WINDOWS\system32\wkhmfokp.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NudgeMania] C:\Program Files\NudgeMania\NudgeMania.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Internet Download Accelerator] d:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\mambodin\Application Data\Mozilla\Firefox\Profiles\9868ho1j.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\mambodin\Application Data\Mozilla\Firefox\Profiles/9868ho1j.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - D:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - D:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://fishingchamp.gamescampus.com/luncher/GamesCampus.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: jkkijJAs - C:\WINDOWS\SYSTEM32\jkkijJAs.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 15971 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R2 atksgt - c:\windows\system32\drivers\atksgt.sys
R2 lirsgt - c:\windows\system32\drivers\lirsgt.sys
R3 cmuda (C-Media WDM Audio Interface) - c:\windows\system32\drivers\cmuda.sys <Not Verified; C-Media Inc; C-Media Audio Driver (WDM)>

S3 AmeAtmPc - c:\windows\system32\drivers\ameatmpc.sys (file missing)
S3 catchme - c:\combofix\catchme.sys (file missing)
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 hamachi_oem (PlayLinc Adapter) - c:\windows\system32\drivers\gan_adapter.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver, OEM>
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mrempr5.sys (file missing)
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mrendis5.sys (file missing)
S3 PsSdk30 - c:\windows\system32\drivers\pssdk30.drv (file missing)
S3 XDva011 - c:\windows\system32\xdva011.sys (file missing)
S3 XDva031 - c:\windows\system32\xdva031.sys (file missing)
S3 XDva037 - c:\windows\system32\xdva037.sys (file missing)
S3 XDva104 - c:\windows\system32\xdva104.sys (file missing)
S3 XDva121 - c:\windows\system32\xdva121.sys (file missing)
S3 XDva132 - c:\windows\system32\xdva132.sys (file missing)
S3 XTrapD12 - c:\windows\system32\xtrapd12.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description:
Device ID: ROOT\MS_ATMELAN\0000
Manufacturer:
Name:
PNP Device ID: ROOT\MS_ATMELAN\0000
Service:

Class GUID:
Description:
Device ID: ROOT\MS_ATMELAN\0002
Manufacturer:
Name:
PNP Device ID: ROOT\MS_ATMELAN\0002
Service:

Class GUID:
Description:
Device ID: ROOT\MS_ATMELAN\0003
Manufacturer:
Name:
PNP Device ID: ROOT\MS_ATMELAN\0003
Service:

Class GUID:
Description:
Device ID: ROOT\MS_ATMELAN\0004
Manufacturer:
Name:
PNP Device ID: ROOT\MS_ATMELAN\0004
Service:

Class GUID:
Description:
Device ID: ROOT\MS_ATMELAN\0005
Manufacturer:
Name:
PNP Device ID: ROOT\MS_ATMELAN\0005
Service:

Class GUID:
Description:
Device ID: ROOT\MS_ATMELAN\0006
Manufacturer:
Name:
PNP Device ID: ROOT\MS_ATMELAN\0006
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: PlayLinc Adapter
Device ID: ROOT\NET\0000
Manufacturer: Super Computer Inc.
Name: PlayLinc Adapter
PNP Device ID: ROOT\NET\0000
Service: hamachi_oem


-- Scheduled Tasks -------------------------------------------------------------

2008-05-09 18:04:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-18 and 2008-05-18 -----------------------------

2008-05-18 01:20:57 0 d------c- C:\VundoFix Backups
2008-05-18 00:58:36 0 d-------- C:\Program Files\Trend Micro
2008-05-18 00:44:23 116224 --a------ C:\WINDOWS\system32\wkhmfokp.dll
2008-05-18 00:36:38 473389 --ahs---- C:\WINDOWS\system32\Iilmlnmp.ini2
2008-05-18 00:36:17 371712 --a------ C:\WINDOWS\system32\pmnlmliI.dll
2008-05-17 03:26:19 116736 -----n--- C:\WINDOWS\system32\lwnaiyda.dll
2008-05-17 03:22:29 0 d-------- C:\Program Files\Spyware Doctor
2008-05-17 03:22:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-05-17 01:48:34 116736 --a------ C:\WINDOWS\system32\whyyqglq.dll
2008-05-17 01:41:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-05-17 01:41:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-17 01:40:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-05-17 01:39:03 0 d--hs---- C:\WINDOWS\CSC
2008-05-16 01:29:03 0 d-------- C:\Documents and Settings\All Users\Application Data\media center programs
2008-05-16 01:25:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-05-15 22:30:35 0 d-------- C:\Documents and Settings\mambodin\Application Data\Motive
2008-05-15 02:23:29 0 d-------- C:\WINDOWS\Motive
2008-05-15 02:14:39 0 d-------- C:\Program Files\SmartFix
2008-05-14 01:12:48 0 d------c- C:\Downloads
2008-05-14 01:11:50 0 d-------- C:\Documents and Settings\mambodin\Application Data\Internet Download Accelerator
2008-05-13 14:20:31 0 d--h---c- C:\$AVG8.VAULT$
2008-05-12 16:46:20 720896 --a------ C:\WINDOWS\iun6002ev.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-05-12 14:20:48 0 d-------- C:\Documents and Settings\mambodin\Application Data\Publish Providers
2008-05-12 14:14:26 0 d-------- C:\Program Files\Vstplugins
2008-05-12 14:12:30 59904 --a------ C:\WINDOWS\system32\jkkijJAs.dll
2008-05-12 12:55:08 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-12 12:38:36 0 d------c- C:\Fraps
2008-05-10 13:40:22 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-10 13:40:15 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-10 13:38:07 0 d-------- C:\Program Files\AVG
2008-05-06 10:40:09 0 d-------- C:\Program Files\iPod
2008-05-06 10:40:04 0 d-------- C:\Program Files\iTunes
2008-05-03 20:05:05 0 d-------- C:\Program Files\GlobFX Technologies
2008-05-02 01:46:19 0 d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-04-19 16:05:26 0 d-------- C:\WINDOWS\nview
2008-04-19 06:30:55 0 d-------- C:\Program Files\AGEIA Technologies
2008-04-19 05:33:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Funcom
2008-04-18 03:31:15 0 d-------- C:\Program Files\Common Files\Adobe AIR


-- Find3M Report ---------------------------------------------------------------

2008-05-16 01:24:34 0 d-------- C:\Program Files\Common Files
2008-05-12 14:20:00 0 d-------- C:\Documents and Settings\mambodin\Application Data\Sony
2008-05-06 10:34:30 0 d-------- C:\Program Files\Apple Software Update
2008-04-28 03:16:36 0 d-------- C:\Documents and Settings\mambodin\Application Data\Adobe
2008-04-20 23:28:14 0 d-------- C:\Program Files\DivX
2008-04-19 07:20:22 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-19 06:27:38 0 d-------- C:\Program Files\Creative
2008-04-19 04:50:32 0 d-------- C:\Program Files\Common Files\xxx
2008-04-18 15:30:01 0 d-------- C:\Documents and Settings\mambodin\Application Data\Move Networks
2008-04-18 14:00:58 0 d-------- C:\Documents and Settings\mambodin\Application Data\Skype
2008-04-18 13:59:59 0 d-------- C:\Documents and Settings\mambodin\Application Data\skypePM
2008-04-18 12:47:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-15 18:03:22 5433 --a----c- C:\WINDOWS\mozver.dat
2008-04-14 17:53:31 0 d-------- C:\Program Files\Winamp
2008-04-09 15:04:58 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-09 13:49:53 0 d-------- C:\Program Files\Bonjour
2008-04-09 13:42:00 0 d-------- C:\Documents and Settings\mambodin\Application Data\Macromedia
2008-04-07 19:34:18 0 d-------- C:\Documents and Settings\mambodin\Application Data\Real
2008-04-07 18:31:13 0 d-------- C:\Program Files\QuickTime
2008-04-04 12:37:05 4212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-04-01 05:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-04-01 05:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-04-01 05:25:46 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-04-01 05:25:46 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-04-01 05:25:46 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-03-26 14:45:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 12:00:53 0 d-------- C:\Program Files\mIRC
2008-03-25 03:45:57 0 d-------- C:\Program Files\Java
2008-03-22 04:30:08 3596288 --a----c- C:\WINDOWS\system32\qt-dx331.dll
2008-03-22 04:28:54 196608 --a----c- C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-22 04:28:54 81920 --a----c- C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-22 04:28:20 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-22 01:51:04 0 d-------- C:\Documents and Settings\mambodin\Application Data\CmapTools
2008-03-01 01:59:04 80 --ah----- C:\WINDOWS\system32\HsInfo.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16ED5C1F-E076-4200-AE4A-264368F1D753}]
05/18/2008 12:36 AM 371712 --a------ C:\WINDOWS\system32\pmnlmliI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D6881D8-ED1E-4F7A-B1D0-5A141A34A1D3}]
C:\WINDOWS\system32\xxywWqrP.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{806AE000-BFC6-41E2-B1E9-BA32DE9FF5CE}]
C:\WINDOWS\system32\cbXPfCss.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA6167B9-61A5-4EEB-882E-A0A43232C038}]
C:\WINDOWS\system32\cbXQhGYs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
12/15/2007 12:12 PM 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}]
05/12/2008 02:12 PM 59904 --a------ C:\WINDOWS\system32\jkkijJAs.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [12/15/2007 12:12 PM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [12/10/2005 10:57 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/11/2005 03:30 PM]
"Creative Mouse Software"="C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe" [01/27/2005 11:24 AM]
"Creative Mouse Software 1"="C:\Program Files\Creative\Input Devices\MOUSE\CTPoint.exe" [02/17/2005 01:17 PM]
"Creative Keyboard Software"="C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe" [01/27/2005 11:24 AM]
"Creative Keyboard Software 1"="C:\Program Files\Creative\Input Devices\Keyboard\CTType.exe" [02/17/2005 01:09 PM]
"Cmaudio"="cmicnfg.cpl" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [02/14/2007 11:15 AM]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [11/04/2005 06:07 PM]
"CTHelper"="CTHELPER.EXE" [12/12/2006 10:46 AM C:\WINDOWS\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [12/12/2006 10:46 AM C:\WINDOWS\system32\Ctxfihlp.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 01:00 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"Acrobat Assistant 8.0"="D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [10/22/2006 11:24 PM]
"LiveUpdate"="C:\Program Files\Samsung\Samsung PC Studio 3\\Update\Copyer.exe" [04/09/2008 07:00 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41 AM]
"nwiz"="nwiz.exe" [12/05/2007 01:41 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 01:41 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/10/2008 01:40 PM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [04/10/2008 03:14 PM]
"BMaf5aa614"="C:\WINDOWS\system32\ddkgypmj.dll" []
"ac699588"="C:\WINDOWS\system32\wkhmfokp.dll" [05/18/2008 12:44 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/14/2004 12:24 AM]
"NudgeMania"="C:\Program Files\NudgeMania\NudgeMania.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 PM]
"Internet Download Accelerator"="d:\Program Files\IDA\ida.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FFTI"=C:\Documents and Settings\mambodin\Application Data\Mozilla\Firefox\Profiles\9868ho1j.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\mambodin\Application Data\Mozilla\Firefox\Profiles/9868ho1j.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}"= C:\WINDOWS\system32\jkkijJAs.dll [05/12/2008 02:12 PM 59904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkijJAs]
jkkijJAs.dll 05/12/2008 02:12 PM 59904 C:\WINDOWS\system32\jkkijJAs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnlmliI

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CBC86A61-B52C-B9FE-F270-A31E17DEBF4D}]
C:\WINDOWS\system32\scrigz.exe



-- End of Deckard's System Scanner: finished at 2008-05-18 01:53:48 ------------

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:24 AM

Posted 17 May 2008 - 07:21 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 mercurion

mercurion
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 17 May 2008 - 09:28 PM

The following is my ComboFix log. There was continuous popus of windows trying to opena file called pv.cfexe as combofix was running.

I had to cancel each and everytime before combofix's scan could resume

ComboFix 08-05-15.3 - mambodin 2008-05-18 9:55:44.3 - NTFSx86
Running from: D:\Downloads\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\adyianwl.ini
C:\WINDOWS\system32\Iilmlnmp.ini
C:\WINDOWS\system32\Iilmlnmp.ini2
C:\WINDOWS\system32\pkofmhkw.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-18 01:46 . 2008-05-18 01:46 <DIR> d----c--- C:\Deckard
2008-05-18 01:20 . 2008-05-18 01:20 <DIR> d----c--- C:\VundoFix Backups
2008-05-18 00:58 . 2008-05-18 00:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-18 00:44 . 2008-05-18 00:44 116,224 --a------ C:\WINDOWS\system32\wkhmfokp.dll
2008-05-18 00:36 . 2008-05-18 00:36 371,712 --a------ C:\WINDOWS\system32\pmnlmliI.dll
2008-05-17 03:22 . 2008-05-18 00:48 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-17 03:22 . 2008-05-17 03:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-05-17 03:22 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-17 03:22 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-17 03:22 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-17 03:22 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-17 01:48 . 2008-05-17 01:48 116,736 --a------ C:\WINDOWS\system32\whyyqglq.dll
2008-05-16 01:29 . 2008-05-16 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\media center programs
2008-05-16 01:29 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-05-16 01:25 . 2008-05-16 01:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-05-15 22:30 . 2008-05-15 22:30 <DIR> d-------- C:\Documents and Settings\mambodin\Application Data\Motive
2008-05-15 02:23 . 2008-05-16 01:24 <DIR> d-------- C:\WINDOWS\Motive
2008-05-15 02:14 . 2008-05-16 01:26 <DIR> d-------- C:\Program Files\SmartFix
2008-05-14 23:29 . 2008-05-17 03:26 109,807 --a------ C:\WINDOWS\BMaf5aa614.xml
2008-05-14 01:12 . 2008-05-14 01:17 <DIR> d----c--- C:\Downloads
2008-05-14 01:11 . 2008-05-14 01:12 <DIR> d-------- C:\Documents and Settings\mambodin\Application Data\Internet Download Accelerator
2008-05-13 14:20 . 2008-05-18 00:45 <DIR> d--h-c--- C:\$AVG8.VAULT$
2008-05-12 16:46 . 2008-05-12 16:45 720,896 --a------ C:\WINDOWS\iun6002ev.exe
2008-05-12 14:20 . 2008-05-12 14:20 <DIR> d-------- C:\Documents and Settings\mambodin\Application Data\Publish Providers
2008-05-12 14:20 . 2008-05-12 21:19 156 --a------ C:\WINDOWS\Twunk001.MTX
2008-05-12 14:20 . 2008-05-12 21:19 2 --a------ C:\WINDOWS\Twain001.Mtx
2008-05-12 14:20 . 2008-05-12 14:20 0 --a------ C:\WINDOWS\Twunk002.MTX
2008-05-12 14:14 . 2008-05-12 14:14 <DIR> d-------- C:\Program Files\Vstplugins
2008-05-12 14:12 . 2008-05-12 14:12 59,904 --a------ C:\WINDOWS\system32\jkkijJAs.dll
2008-05-12 12:55 . 2008-05-18 10:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-12 12:38 . 2008-05-12 12:38 <DIR> d----c--- C:\Fraps
2008-05-10 13:40 . 2008-05-16 00:09 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-10 13:40 . 2008-05-10 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-10 13:40 . 2008-05-10 13:40 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-10 13:40 . 2008-05-10 13:40 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-10 13:40 . 2008-05-10 13:40 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-10 13:38 . 2008-05-10 13:38 <DIR> d-------- C:\Program Files\AVG
2008-05-06 10:40 . 2008-05-06 10:40 <DIR> d-------- C:\Program Files\iTunes
2008-05-06 10:40 . 2008-05-06 10:40 <DIR> d-------- C:\Program Files\iPod
2008-05-06 10:40 . 2008-05-18 10:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-06 10:40 . 2008-05-06 10:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-03 20:05 . 2008-05-03 20:05 <DIR> d-------- C:\Program Files\GlobFX Technologies
2008-05-02 01:46 . 2008-05-06 22:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-04-19 16:05 . 2008-04-19 16:05 <DIR> d-------- C:\WINDOWS\nview
2008-04-19 16:05 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-04-19 16:05 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-04-19 16:05 . 2008-04-19 16:08 163,353 --a------ C:\WINDOWS\system32\nvapps.xml
2008-04-19 16:05 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-04-19 06:30 . 2008-04-19 06:31 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-04-19 05:33 . 2008-04-19 05:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Funcom
2008-04-18 03:31 . 2008-04-18 03:31 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 02:18 23,867,424 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-18 02:12 283,568 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-17 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-12 06:20 --------- d-----w C:\Documents and Settings\mambodin\Application Data\Sony
2008-05-12 06:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-05-06 02:34 --------- d-----w C:\Program Files\Apple Software Update
2008-04-20 15:28 --------- d-----w C:\Program Files\DivX
2008-04-18 23:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-18 22:27 --------- d-----w C:\Program Files\Creative
2008-04-18 20:50 --------- d-----w C:\Program Files\Common Files\xxx
2008-04-18 07:30 --------- d-----w C:\Documents and Settings\mambodin\Application Data\Move Networks
2008-04-18 06:00 --------- d-----w C:\Documents and Settings\mambodin\Application Data\Skype
2008-04-18 05:59 --------- d-----w C:\Documents and Settings\mambodin\Application Data\skypePM
2008-04-18 04:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 09:53 --------- d-----w C:\Program Files\Winamp
2008-04-09 07:04 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-04-09 05:49 --------- d-----w C:\Program Files\Bonjour
2008-04-07 10:31 --------- d-----w C:\Program Files\QuickTime
2008-03-26 06:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 04:00 --------- d-----w C:\Program Files\mIRC
2008-03-24 19:45 --------- d-----w C:\Program Files\Java
2008-03-21 17:51 --------- d-----w C:\Documents and Settings\mambodin\Application Data\CmapTools
2008-01-12 07:01 30,615 ----a-w C:\Documents and Settings\mambodin\x.exe
2008-01-04 14:17 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-09-29 08:37 22,328 -c--a-w C:\Documents and Settings\mambodin\Application Data\PnkBstrK.sys
2007-04-14 12:28 1 -c--a-w C:\Documents and Settings\mambodin\SI.bin
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30530A4A-D577-42AF-8A41-91F7DA5E4287}]
2008-05-18 00:36 371712 --a------ C:\WINDOWS\system32\pmnlmliI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D6881D8-ED1E-4F7A-B1D0-5A141A34A1D3}]
C:\WINDOWS\system32\xxywWqrP.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{806AE000-BFC6-41E2-B1E9-BA32DE9FF5CE}]
C:\WINDOWS\system32\cbXPfCss.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA6167B9-61A5-4EEB-882E-A0A43232C038}]
C:\WINDOWS\system32\cbXQhGYs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}]
2008-05-12 14:12 59904 --a------ C:\WINDOWS\system32\jkkijJAs.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2007-12-15 12:12 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-15 12:12 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24 1694208]
"NudgeMania"="C:\Program Files\NudgeMania\NudgeMania.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"Internet Download Accelerator"="d:\Program Files\IDA\ida.exe" [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="C:\Documents and Settings\mambodin\Application Data\Mozilla\Firefox\Profiles\9868ho1j.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 22:57 133016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30 81920]
"Creative Mouse Software"="C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe" [2005-01-27 11:24 65536]
"Creative Mouse Software 1"="C:\Program Files\Creative\Input Devices\MOUSE\CTPoint.exe" [2005-02-17 13:17 221184]
"Creative Keyboard Software"="C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe" [2005-01-27 11:24 65536]
"Creative Keyboard Software 1"="C:\Program Files\Creative\Input Devices\Keyboard\CTType.exe" [2005-02-17 13:09 229376]
"Cmaudio"="cmicnfg.cpl" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [2007-02-14 11:15 147456]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07 49152]
"CTHelper"="CTHELPER.EXE" [2006-12-12 10:46 19456 C:\WINDOWS\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 10:46 20480 C:\WINDOWS\system32\Ctxfihlp.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"Acrobat Assistant 8.0"="D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"LiveUpdate"="C:\Program Files\Samsung\Samsung PC Studio 3\\Update\Copyer.exe" [2008-04-09 19:00 270336]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-10 13:40 1177368]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]
"BMaf5aa614"="C:\WINDOWS\system32\ddkgypmj.dll" [ ]
"ac699588"="C:\WINDOWS\system32\wkhmfokp.dll" [2008-05-18 00:44 116224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}"= C:\WINDOWS\system32\jkkijJAs.dll [2008-05-12 14:12 59904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkijJAs]
jkkijJAs.dll 2008-05-12 14:12 59904 C:\WINDOWS\system32\jkkijJAs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"D:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"D:\\Program Files\\Sony\\Media Manager for PSP 2.5\\MediaManager.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7621:TCP"= 7621:TCP:ppLive
"3963:UDP"= 3963:UDP:ppLive
"6736:TCP"= 6736:TCP:ppLive
"6421:UDP"= 6421:UDP:ppLive

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CBC86A61-B52C-B9FE-F270-A31E17DEBF4D}]
C:\WINDOWS\system32\scrigz.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-09 10:04:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PsSdk30]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\PsSdk30.drv"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\CTxfispi.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-05-18 10:23:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-18 02:23:05
ComboFix2.txt 2008-05-17 06:28:45

Pre-Run: 8,331,608,064 bytes free
Post-Run: 8,255,807,488 bytes free

243 --- E O F --- 2008-05-17 07:06:27

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:24 AM

Posted 18 May 2008 - 09:15 AM

Good job getting the log.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\VundoFix Backups

File::
C:\WINDOWS\system32\wkhmfokp.dll
C:\WINDOWS\system32\pmnlmliI.dll
C:\WINDOWS\system32\whyyqglq.dll
C:\WINDOWS\system32\jkkijJAs.dll
C:\WINDOWS\system32\scrigz.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30530A4A-D577-42AF-8A41-91F7DA5E4287}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D6881D8-ED1E-4F7A-B1D0-5A141A34A1D3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{806AE000-BFC6-41E2-B1E9-BA32DE9FF5CE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA6167B9-61A5-4EEB-882E-A0A43232C038}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMaf5aa614"=-
"ac699588"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkijJAs]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CBC86A61-B52C-B9FE-F270-A31E17DEBF4D}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


===================



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 mercurion

mercurion
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 18 May 2008 - 09:58 PM

Sorry I took so long to reply this but my full scan took 7.5hours to complete

This is the comboFix log

ComboFix 08-05-15.3 - mambodin 2008-05-19 2:41:33.5 - NTFSx86
Running from: C:\Documents and Settings\mambodin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mambodin\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\jkkijJAs.dll
C:\WINDOWS\system32\pmnlmliI.dll
C:\WINDOWS\system32\scrigz.exe
C:\WINDOWS\system32\whyyqglq.dll
C:\WINDOWS\system32\wkhmfokp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Iilmlnmp.ini2
.
---- Previous Run -------
.
C:\VundoFix Backups
C:\WINDOWS\system32\Iilmlnmp.ini
C:\WINDOWS\system32\Iilmlnmp.ini2
C:\WINDOWS\system32\jkkijJAs.dll
C:\WINDOWS\system32\pmnlmliI.dll
C:\WINDOWS\system32\qyjrbdyj.ini
C:\WINDOWS\system32\whyyqglq.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-19 02:20 . 2008-05-19 02:20 294 --ahs---- C:\WINDOWS\system32\qyjrbdyj.ini
2008-05-18 11:38 . 2008-05-18 11:38 116,224 --a------ C:\WINDOWS\system32\jydbrjyq.dll
2008-05-18 01:46 . 2008-05-18 01:46 <DIR> d----c--- C:\Deckard
2008-05-18 00:58 . 2008-05-18 00:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 03:22 . 2008-05-18 00:48 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-17 03:22 . 2008-05-17 03:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-05-17 03:22 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-17 03:22 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-17 03:22 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-17 03:22 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-16 01:29 . 2008-05-16 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\media center programs
2008-05-16 01:29 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-05-16 01:25 . 2008-05-16 01:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-05-15 22:30 . 2008-05-15 22:30 <DIR> d-------- C:\Documents and Settings\mambodin\Application Data\Motive
2008-05-15 02:23 . 2008-05-16 01:24 <DIR> d-------- C:\WINDOWS\Motive
2008-05-15 02:14 . 2008-05-16 01:26 <DIR> d-------- C:\Program Files\SmartFix
2008-05-14 23:29 . 2008-05-17 03:26 109,807 --a------ C:\WINDOWS\BMaf5aa614.xml
2008-05-14 01:12 . 2008-05-14 01:17 <DIR> d----c--- C:\Downloads
2008-05-14 01:11 . 2008-05-14 01:12 <DIR> d-------- C:\Documents and Settings\mambodin\Application Data\Internet Download Accelerator
2008-05-13 14:20 . 2008-05-18 11:32 <DIR> d--h-c--- C:\$AVG8.VAULT$
2008-05-12 16:46 . 2008-05-12 16:45 720,896 --a------ C:\WINDOWS\iun6002ev.exe
2008-05-12 14:20 . 2008-05-12 14:20 <DIR> d-------- C:\Documents and Settings\mambodin\Application Data\Publish Providers
2008-05-12 14:20 . 2008-05-12 21:19 156 --a------ C:\WINDOWS\Twunk001.MTX
2008-05-12 14:20 . 2008-05-12 21:19 2 --a------ C:\WINDOWS\Twain001.Mtx
2008-05-12 14:20 . 2008-05-12 14:20 0 --a------ C:\WINDOWS\Twunk002.MTX
2008-05-12 14:14 . 2008-05-12 14:14 <DIR> d-------- C:\Program Files\Vstplugins
2008-05-12 12:55 . 2008-05-19 02:38 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-12 12:38 . 2008-05-12 12:38 <DIR> d----c--- C:\Fraps
2008-05-10 13:40 . 2008-05-16 00:09 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-10 13:40 . 2008-05-10 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-10 13:40 . 2008-05-10 13:40 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-10 13:40 . 2008-05-10 13:40 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-10 13:40 . 2008-05-10 13:40 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-10 13:38 . 2008-05-10 13:38 <DIR> d-------- C:\Program Files\AVG
2008-05-06 10:40 . 2008-05-06 10:40 <DIR> d-------- C:\Program Files\iTunes
2008-05-06 10:40 . 2008-05-06 10:40 <DIR> d-------- C:\Program Files\iPod
2008-05-06 10:40 . 2008-05-19 02:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-06 10:40 . 2008-05-06 10:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-03 20:05 . 2008-05-03 20:05 <DIR> d-------- C:\Program Files\GlobFX Technologies
2008-05-02 01:46 . 2008-05-06 22:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-04-19 16:05 . 2008-04-19 16:05 <DIR> d-------- C:\WINDOWS\nview
2008-04-19 16:05 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-04-19 16:05 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-04-19 16:05 . 2008-04-19 16:08 163,353 --a------ C:\WINDOWS\system32\nvapps.xml
2008-04-19 16:05 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-04-19 06:30 . 2008-04-19 06:31 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-04-19 05:33 . 2008-04-19 05:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Funcom
2008-04-18 03:31 . 2008-04-18 03:31 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 18:46 24,127,520 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-18 18:26 17,462,337 -c--a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-18 18:23 286,304 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-17 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-12 06:20 --------- d-----w C:\Documents and Settings\mambodin\Application Data\Sony
2008-05-12 06:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-05-08 16:28 107,888 -c--a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-05-06 02:34 --------- d-----w C:\Program Files\Apple Software Update
2008-04-20 15:28 --------- d-----w C:\Program Files\DivX
2008-04-18 23:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-18 22:27 --------- d-----w C:\Program Files\Creative
2008-04-18 20:50 --------- d-----w C:\Program Files\Common Files\xxx
2008-04-18 07:30 --------- d-----w C:\Documents and Settings\mambodin\Application Data\Move Networks
2008-04-18 06:00 --------- d-----w C:\Documents and Settings\mambodin\Application Data\Skype
2008-04-18 05:59 --------- d-----w C:\Documents and Settings\mambodin\Application Data\skypePM
2008-04-18 04:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 09:53 --------- d-----w C:\Program Files\Winamp
2008-04-09 07:04 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-04-09 05:49 --------- d-----w C:\Program Files\Bonjour
2008-04-07 10:31 --------- d-----w C:\Program Files\QuickTime
2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 -c--a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 06:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 04:00 --------- d-----w C:\Program Files\mIRC
2008-03-24 19:45 --------- d-----w C:\Program Files\Java
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 -c--a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 -c--a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 -c--a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 -c--a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 -c--a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 -c--a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-21 17:51 --------- d-----w C:\Documents and Settings\mambodin\Application Data\CmapTools
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-13 15:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-13 15:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-05 08:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 08:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 08:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 07:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 07:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-01-12 07:01 30,615 ----a-w C:\Documents and Settings\mambodin\x.exe
2008-01-04 14:17 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-09-29 08:37 22,328 -c--a-w C:\Documents and Settings\mambodin\Application Data\PnkBstrK.sys
2007-04-14 12:28 1 -c--a-w C:\Documents and Settings\mambodin\SI.bin
.

------- Sigcheck -------

2006-07-01 02:11 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2007-12-15 12:12 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-15 12:12 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24 1694208]
"NudgeMania"="C:\Program Files\NudgeMania\NudgeMania.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"Internet Download Accelerator"="d:\Program Files\IDA\ida.exe" [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="C:\Documents and Settings\mambodin\Application Data\Mozilla\Firefox\Profiles\9868ho1j.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 22:57 133016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30 81920]
"Creative Mouse Software"="C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe" [2005-01-27 11:24 65536]
"Creative Mouse Software 1"="C:\Program Files\Creative\Input Devices\MOUSE\CTPoint.exe" [2005-02-17 13:17 221184]
"Creative Keyboard Software"="C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe" [2005-01-27 11:24 65536]
"Creative Keyboard Software 1"="C:\Program Files\Creative\Input Devices\Keyboard\CTType.exe" [2005-02-17 13:09 229376]
"Cmaudio"="cmicnfg.cpl" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [2007-02-14 11:15 147456]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07 49152]
"CTHelper"="CTHELPER.EXE" [2006-12-12 10:46 19456 C:\WINDOWS\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 10:46 20480 C:\WINDOWS\system32\Ctxfihlp.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"Acrobat Assistant 8.0"="D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"LiveUpdate"="C:\Program Files\Samsung\Samsung PC Studio 3\\Update\Copyer.exe" [2008-04-09 19:00 270336]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-10 13:40 1177368]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"D:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"D:\\Program Files\\Sony\\Media Manager for PSP 2.5\\MediaManager.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7621:TCP"= 7621:TCP:ppLive
"3963:UDP"= 3963:UDP:ppLive
"6736:TCP"= 6736:TCP:ppLive
"6421:UDP"= 6421:UDP:ppLive

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)

.
Contents of the 'Scheduled Tasks' folder
"2008-05-09 10:04:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 02:46:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PsSdk30]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\PsSdk30.drv"
.
Completion time: 2008-05-19 2:49:20
ComboFix-quarantined-files.txt 2008-05-18 18:48:14
ComboFix2.txt 2008-05-18 02:23:45
ComboFix3.txt 2008-05-17 06:28:45

Pre-Run: 8,248,115,200 bytes free
Post-Run: 8,236,670,976 bytes free

249 --- E O F --- 2008-05-17 07:06:27


I have tried running Kaspersky online webscan but somehow my IE won't run it so I downloaded the Kaspersky antivirus and did a full scan and here are the results

Protection
----------
Total scanned: 1598961
Detected: 3
Untreated: 1
Start time: 5/19/2008 3:29:16 AM
Duration: unknown
Finish time: 5/19/2008 3:29:16 AM


Detected
--------
Status Object
------ ------
not found: virus Heur.Invader (modification) File: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ricvi4mc.default\Cache\C2152591d01//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe
not found: virus Heur.Invader (modification) File: C:\Documents and Settings\mambodin\Desktop\ComboFix.exe//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe
detected: adware not-a-virus:AdWare.Win32.Virtumonde.rtf File: C:\QooBox\Quarantine\C\WINDOWS\system32\whyyqglq.dll.vir


Events
------
Time Event
---- -----
5/19/2008 3:23:23 AM You are advised to perform a full computer scan as soon as possible.
5/19/2008 3:29:16 AM You are advised to perform a full computer scan as soon as possible.
5/19/2008 3:39:53 AM File C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ricvi4mc.default\Cache\C2152591d01//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe: detected modification of virus 'Heur.Invader'.
5/19/2008 3:39:53 AM Security threats have been detected. You are advised to neutralize them immediately.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsAppFirewallBypass.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsAppFirewallBypass.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsAppFirewallBypass1.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsAppFirewallBypass1.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsAppFirewallBypass2.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsAppFirewallBypass2.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityInternetExplorer.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityInternetExplorer.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/removalfile.bat: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde5.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde5.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip/cbXQhGYs.dll: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll1.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll1.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll10.zip/welbutsp.dll: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll10.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll11.zip/xxywWqrP.dll: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll11.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll12.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll12.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll13.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll13.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll14.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll14.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll15.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll15.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll16.zip/gwatynny.dll_old: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll16.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll17.zip/welbutsp.dll_old: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll17.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll18.zip/xxywWqrP.dll_old: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll18.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll19.zip/iifCuvwt.dll: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll19.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll20.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll20.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll21.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll21.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll22.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll22.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll23.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll23.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll4.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll4.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll5.zip/cbXQhGYs.dll_old: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll5.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll6.zip/ijxokjpf.dll: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll6.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll7.zip/ucdvhyjk.dll: is password protected.
5/19/2008 3:47:00 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll7.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll8.zip/xxywWqrP.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll8.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll9.zip/gwatynny.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll9.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/backup/1.5.3.018/info.txt: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/backup/1.5.3.018/stopwcmdr.bat: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/backup/1.5.3.018/updatenow.bat: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/backup/1.5.3.018/wcmdmgr.exe: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/backup/1.5.3.018/wcmdmgrl.exe: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/backup/1.5.3.018/wtcpl.cpl: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/backup/1.5.3.018/_privacy.txt: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/data.wts: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/info.txt: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/updater/data.wts: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/updater/stopwcmdr.bat: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/updater/updatenow.bat: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/updater/wcmdmgr.exe: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/updater/wcmdmgrl.exe: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/updater/wt.ini: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/updater/wtlog.txt: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/updater/_privacy.txt: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/WDInUsePlugin.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/webdriver/actorobject.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/webdriver/dx5drv.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/webdriver/dx7drv.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/webdriver/objectbundle.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/webdriver/rdriver.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/webdriver/sound.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/webdriver/wdcaps.ded: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/webdriver/wdengine.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/webdriver/webdriver.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/webdriver/wildtangent.jar: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/webdriver/wthost.exe: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/webdriver/wthostctl.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/webdriver/wtmulti.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/webdriver/wtmulti.jar: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/webdriver/wtwmplug.ax: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/webdriver/wtwmplug.ini: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/webdriver.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wt3d.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wt3d.ini: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtupdater/appinfo.dat: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/actorobject.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/dx5drv.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/dx7drv.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/legacy/data.wts: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/legacy/webdriver.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/legacy/wt3d.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/npwthost.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/npwtplug.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/nsiwthostplugin.xpt: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/objectbundle.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/rdriver.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/sound.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/wdcaps.ded: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/wdengine.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/webdriver.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/wildtangent.jar: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/wthost.exe: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/wthost.jar: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/wthostctl.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/wtmulti.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/wtmulti.jar: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/wtvh.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/wtwmplug.ax: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/files/3.1.0.037/wtwmplug.ini: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtupdates/wtwebdriver/update_info/data.wts: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/wtvh.dll: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent1.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent1.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent3.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent3.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent5.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent5.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent6.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent6.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSharkaf.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSharkaf.zip/sbRecovery.ini: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSharkaf1.zip/sbRecovery.reg: is password protected.
5/19/2008 3:47:01 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSharkaf1.zip/sbRecovery.ini: is password protected.
5/19/2008 4:22:18 AM File C:\Documents and Settings\mambodin\Desktop\ComboFix.exe//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe: detected modification of virus 'Heur.Invader'.
5/19/2008 5:26:51 AM Update completed successfully
5/19/2008 5:47:42 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\whyyqglq.dll.vir: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.rtf'.
5/19/2008 5:47:42 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\whyyqglq.dll.vir: is still infected, postponed.
5/19/2008 7:43:17 AM Update completed successfully
5/19/2008 8:04:16 AM Your evaluation period will end in 29 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
5/19/2008 9:59:53 AM Update completed successfully
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\dummy.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\fonts\tahoma-12.font: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\fonts\tahoma-18.font: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\fonts\tahoma-6.font: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\fonts\tahoma.ttf: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\htmldummy.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\rcon.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\rpic.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\st.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/buddy.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/notify.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/rcon.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/st.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/voip.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\tpic.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/thread.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\fonts\tahoma-10.font: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\fonts\tahoma-11.font: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\fonts\tahomab-12.font: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\fonts\tahomab.ttf: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\fonts\tahomai-12.font: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\fonts\tahomai.ttf: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\icon_idle_away.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/strategy_video.txt: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\icon_no_icon.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/army_bl.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/army_main.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/verizon_bl.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/verizon_main.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\Verizon_mn.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\army_bg.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\Army_mn.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\imagesets\Army_WindowsLook.imageset: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\imagesets\Army_WindowsLook.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\schemes\Army_WindowsLook.scheme: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/cpl_bl.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/cpl_main.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/videowindow.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\cpl_mn.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\cpl_bg.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\imagesets\Verizon_WindowsLook.imageset: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\imagesets\Verizon_WindowsLook.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\imagesets\CPL_WindowsLook.imageset: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\imagesets\CPL_WindowsLook.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\schemes\Verizon_WindowsLook.scheme: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\schemes\CPL_WindowsLook.scheme: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/aol_bl.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/aol_main.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/aol_rcon.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/aol_st.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/nvidia_bl.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/nvidia_main.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\imagesets\AOL_WindowsLook.imageset: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\imagesets\AOL_WindowsLook.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\schemes\AOL_WindowsLook.scheme: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\aol_bg.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\aol_mn.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\logo_main_aim.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\aim_rpic.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\aim_tpic.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\ubisoft_rpic.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\ubisoft_mn.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\ubisoft_bg.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\voip_mute.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\voip_operator.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\voip_talking.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\plmember_icon.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\alphadummy.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\schemes\UBISOFT_WindowsLook.scheme: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\imagesets\UBISOFT_WindowsLook.imageset: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\imagesets\UBISOFT_WindowsLook.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/hhhh.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/ubisoft_bl.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/ubisoft_st.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/ubisoft_rcon.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/ubisoft_main.xml: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/datafiles\logo_main_aim2.tga: is password protected.
5/19/2008 10:17:59 AM File D:\Program Files\PlayLinc\data.dat/aol_voip.xml: is password protected.
5/19/2008 10:53:02 AM File c:\qoobox\quarantine\c\windows\system32\whyyqglq.dll.vir: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.rtf'.
5/19/2008 10:53:27 AM File c:\qoobox\quarantine\c\windows\system32\whyyqglq.dll.vir: is still infected, skipped by user.


Reports
-------
Component Status Start Finish Size
--------- ------ ----- ------ ----
Scan My Computer completed 5/19/2008 3:31:40 AM 5/19/2008 10:53:27 AM 448.5 MB
Update completed 5/19/2008 5:25:16 AM 5/19/2008 5:26:51 AM 0 bytes
Update completed 5/19/2008 7:41:46 AM 5/19/2008 7:43:17 AM 0 bytes
Update completed 5/19/2008 9:58:39 AM 5/19/2008 9:59:53 AM 17.4 KB


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:24 AM

Posted 19 May 2008 - 07:26 AM

Amazing that it detects the files already quarantined, but doesn't see the the ones that are still active.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\qyjrbdyj.ini
C:\WINDOWS\system32\jydbrjyq.dll
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


Also post a new log from DSS.
How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 mercurion

mercurion
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 19 May 2008 - 08:25 AM

The computer is behaving alright I think.

One more thing to note, when ComboFix was running the Windows popped up a message saying that it was trying to open these two files

pv.cfexe
NirCmdC.cfexe

and required me to either search a program from the internet or open it with a program of my choice.

This happens numerous times throughout the scan and I had to choose cancel everytime.

Here is the ComboFix report

ComboFix 08-05-15.3 - mambodin 2008-05-19 21:09:56.6 - NTFSx86
Running from: C:\Documents and Settings\mambodin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mambodin\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\jydbrjyq.dll
C:\WINDOWS\system32\qyjrbdyj.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\qyjrbdyj.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.

2008-05-19 03:16 . 2008-05-19 03:16 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-05-19 03:16 . 2008-05-19 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-19 03:13 . 2008-05-19 03:13 <DIR> d----c--- C:\kav
2008-05-18 01:46 . 2008-05-18 01:46 <DIR> d----c--- C:\Deckard
2008-05-18 00:58 . 2008-05-18 00:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 03:22 . 2008-05-19 19:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-17 03:22 . 2008-05-17 03:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-05-17 03:22 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-17 03:22 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-17 03:22 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-17 03:22 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-16 01:29 . 2008-05-16 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\media center programs
2008-05-16 01:29 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-05-16 01:25 . 2008-05-16 01:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-05-15 22:30 . 2008-05-15 22:30 <DIR> d-------- C:\Documents and Settings\mambodin\Application Data\Motive
2008-05-15 02:23 . 2008-05-16 01:24 <DIR> d-------- C:\WINDOWS\Motive
2008-05-15 02:14 . 2008-05-16 01:26 <DIR> d-------- C:\Program Files\SmartFix
2008-05-14 23:29 . 2008-05-17 03:26 109,807 --a------ C:\WINDOWS\BMaf5aa614.xml
2008-05-14 01:12 . 2008-05-14 01:17 <DIR> d----c--- C:\Downloads
2008-05-14 01:11 . 2008-05-14 01:12 <DIR> d-------- C:\Documents and Settings\mambodin\Application Data\Internet Download Accelerator
2008-05-13 14:20 . 2008-05-19 10:56 <DIR> d--h-c--- C:\$AVG8.VAULT$
2008-05-12 16:46 . 2008-05-12 16:45 720,896 --a------ C:\WINDOWS\iun6002ev.exe
2008-05-12 14:20 . 2008-05-12 14:20 <DIR> d-------- C:\Documents and Settings\mambodin\Application Data\Publish Providers
2008-05-12 14:20 . 2008-05-12 21:19 156 --a------ C:\WINDOWS\Twunk001.MTX
2008-05-12 14:20 . 2008-05-12 21:19 2 --a------ C:\WINDOWS\Twain001.Mtx
2008-05-12 14:20 . 2008-05-12 14:20 0 --a------ C:\WINDOWS\Twunk002.MTX
2008-05-12 14:14 . 2008-05-12 14:14 <DIR> d-------- C:\Program Files\Vstplugins
2008-05-12 12:55 . 2008-05-19 19:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-12 12:38 . 2008-05-12 12:38 <DIR> d----c--- C:\Fraps
2008-05-10 13:40 . 2008-05-19 05:44 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-10 13:40 . 2008-05-10 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-10 13:40 . 2008-05-10 13:40 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-10 13:40 . 2008-05-10 13:40 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-10 13:40 . 2008-05-10 13:40 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-10 13:38 . 2008-05-10 13:38 <DIR> d-------- C:\Program Files\AVG
2008-05-06 10:40 . 2008-05-06 10:40 <DIR> d-------- C:\Program Files\iTunes
2008-05-06 10:40 . 2008-05-06 10:40 <DIR> d-------- C:\Program Files\iPod
2008-05-06 10:40 . 2008-05-19 18:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-06 10:40 . 2008-05-06 10:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-03 20:05 . 2008-05-03 20:05 <DIR> d-------- C:\Program Files\GlobFX Technologies
2008-05-02 01:46 . 2008-05-06 22:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-04-19 16:05 . 2008-04-19 16:05 <DIR> d-------- C:\WINDOWS\nview
2008-04-19 16:05 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-04-19 16:05 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-04-19 16:05 . 2008-04-19 16:08 163,353 --a------ C:\WINDOWS\system32\nvapps.xml
2008-04-19 16:05 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-04-19 06:30 . 2008-04-19 06:31 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-04-19 05:33 . 2008-04-19 05:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Funcom

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 19:24 287,792 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-18 19:24 24,199,200 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-17 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-12 06:20 --------- d-----w C:\Documents and Settings\mambodin\Application Data\Sony
2008-05-12 06:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-05-06 02:34 --------- d-----w C:\Program Files\Apple Software Update
2008-04-20 15:28 --------- d-----w C:\Program Files\DivX
2008-04-18 23:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-18 22:27 --------- d-----w C:\Program Files\Creative
2008-04-18 20:50 --------- d-----w C:\Program Files\Common Files\xxx
2008-04-18 07:30 --------- d-----w C:\Documents and Settings\mambodin\Application Data\Move Networks
2008-04-18 06:00 --------- d-----w C:\Documents and Settings\mambodin\Application Data\Skype
2008-04-18 05:59 --------- d-----w C:\Documents and Settings\mambodin\Application Data\skypePM
2008-04-18 04:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-17 19:31 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-04-14 09:53 --------- d-----w C:\Program Files\Winamp
2008-04-09 07:04 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-04-09 05:49 --------- d-----w C:\Program Files\Bonjour
2008-04-07 10:31 --------- d-----w C:\Program Files\QuickTime
2008-03-26 06:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 04:00 --------- d-----w C:\Program Files\mIRC
2008-03-24 19:45 --------- d-----w C:\Program Files\Java
2008-03-21 17:51 --------- d-----w C:\Documents and Settings\mambodin\Application Data\CmapTools
2008-01-12 07:01 30,615 ----a-w C:\Documents and Settings\mambodin\x.exe
2008-01-04 14:17 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-09-29 08:37 22,328 -c--a-w C:\Documents and Settings\mambodin\Application Data\PnkBstrK.sys
2007-04-14 12:28 1 -c--a-w C:\Documents and Settings\mambodin\SI.bin
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2007-12-15 12:12 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-15 12:12 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24 1694208]
"NudgeMania"="C:\Program Files\NudgeMania\NudgeMania.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"Internet Download Accelerator"="d:\Program Files\IDA\ida.exe" [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="C:\Documents and Settings\mambodin\Application Data\Mozilla\Firefox\Profiles\9868ho1j.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 22:57 133016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30 81920]
"Creative Mouse Software"="C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe" [2005-01-27 11:24 65536]
"Creative Mouse Software 1"="C:\Program Files\Creative\Input Devices\MOUSE\CTPoint.exe" [2005-02-17 13:17 221184]
"Creative Keyboard Software"="C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe" [2005-01-27 11:24 65536]
"Creative Keyboard Software 1"="C:\Program Files\Creative\Input Devices\Keyboard\CTType.exe" [2005-02-17 13:09 229376]
"Cmaudio"="cmicnfg.cpl" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [2007-02-14 11:15 147456]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07 49152]
"CTHelper"="CTHELPER.EXE" [2006-12-12 10:46 19456 C:\WINDOWS\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 10:46 20480 C:\WINDOWS\system32\Ctxfihlp.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"Acrobat Assistant 8.0"="D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"LiveUpdate"="C:\Program Files\Samsung\Samsung PC Studio 3\\Update\Copyer.exe" [2008-04-09 19:00 270336]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-10 13:40 1177368]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"D:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"D:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"D:\\Program Files\\Sony\\Media Manager for PSP 2.5\\MediaManager.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7621:TCP"= 7621:TCP:ppLive
"3963:UDP"= 3963:UDP:ppLive
"6736:TCP"= 6736:TCP:ppLive
"6421:UDP"= 6421:UDP:ppLive

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)

.
Contents of the 'Scheduled Tasks' folder
"2008-05-09 10:04:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PsSdk30]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\PsSdk30.drv"
.
Completion time: 2008-05-19 21:18:32
ComboFix-quarantined-files.txt 2008-05-19 13:18:11
ComboFix2.txt 2008-05-18 18:49:22
ComboFix3.txt 2008-05-18 02:23:45
ComboFix4.txt 2008-05-17 06:28:45

Pre-Run: 7,459,225,600 bytes free
Post-Run: 7,478,722,560 bytes free

205 --- E O F --- 2008-05-17 07:06:27


DSS Report

Deckard's System Scanner v20071014.68
Run by mambodin on 2008-05-19 21:23:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as mambodin.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:31 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
C:\Program Files\Creative\Input Devices\MOUSE\CTPoint.exe
C:\Program Files\Creative\Input Devices\Keyboard\CTType.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
d:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Documents and Settings\mambodin\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\mambodin.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Creative Mouse Software] C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
O4 - HKLM\..\Run: [Creative Mouse Software 1] C:\Program Files\Creative\Input Devices\MOUSE\CTPoint.exe
O4 - HKLM\..\Run: [Creative Keyboard Software] C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
O4 - HKLM\..\Run: [Creative Keyboard Software 1] C:\Program Files\Creative\Input Devices\Keyboard\CTType.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [LiveUpdate] "C:\Program Files\Samsung\Samsung PC Studio 3\\Update\Copyer.exe" -R
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NudgeMania] C:\Program Files\NudgeMania\NudgeMania.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Internet Download Accelerator] d:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\mambodin\Application Data\Mozilla\Firefox\Profiles\9868ho1j.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\mambodin\Application Data\Mozilla\Firefox\Profiles/9868ho1j.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - D:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - D:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://fishingchamp.gamescampus.com/luncher/GamesCampus.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 15402 bytes

-- Files created between 2008-04-19 and 2008-05-19 -----------------------------

2008-05-19 03:16:05 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-19 03:16:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-19 03:13:53 0 d------c- C:\kav
2008-05-19 02:21:00 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-05-18 09:53:53 68096 --a------ C:\WINDOWS\zip.exe
2008-05-18 09:53:53 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-18 09:53:53 98816 --a------ C:\WINDOWS\sed.exe
2008-05-18 09:53:53 80412 --a------ C:\WINDOWS\grep.exe
2008-05-18 09:53:52 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-18 09:53:52 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-18 09:53:52 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-18 09:53:52 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-18 00:58:36 0 d-------- C:\Program Files\Trend Micro
2008-05-17 03:22:29 0 d-------- C:\Program Files\Spyware Doctor
2008-05-17 03:22:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-05-17 01:41:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-05-17 01:41:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-17 01:40:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-05-17 01:39:03 0 d--hs---- C:\WINDOWS\CSC
2008-05-16 01:29:03 0 d-------- C:\Documents and Settings\All Users\Application Data\media center programs
2008-05-16 01:25:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-05-15 22:30:35 0 d-------- C:\Documents and Settings\mambodin\Application Data\Motive
2008-05-15 02:23:29 0 d-------- C:\WINDOWS\Motive
2008-05-15 02:14:39 0 d-------- C:\Program Files\SmartFix
2008-05-14 01:12:48 0 d------c- C:\Downloads
2008-05-14 01:11:50 0 d-------- C:\Documents and Settings\mambodin\Application Data\Internet Download Accelerator
2008-05-13 14:20:31 0 d--h---c- C:\$AVG8.VAULT$
2008-05-12 16:46:20 720896 --a------ C:\WINDOWS\iun6002ev.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-05-12 14:20:48 0 d-------- C:\Documents and Settings\mambodin\Application Data\Publish Providers
2008-05-12 14:14:26 0 d-------- C:\Program Files\Vstplugins
2008-05-12 12:55:08 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-12 12:38:36 0 d------c- C:\Fraps
2008-05-10 13:40:22 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-10 13:40:15 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-10 13:38:07 0 d-------- C:\Program Files\AVG
2008-05-06 10:40:09 0 d-------- C:\Program Files\iPod
2008-05-06 10:40:04 0 d-------- C:\Program Files\iTunes
2008-05-03 20:05:05 0 d-------- C:\Program Files\GlobFX Technologies
2008-05-02 01:46:19 0 d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-04-19 16:05:26 0 d-------- C:\WINDOWS\nview
2008-04-19 06:30:55 0 d-------- C:\Program Files\AGEIA Technologies
2008-04-19 05:33:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Funcom


-- Find3M Report ---------------------------------------------------------------

2008-05-16 01:24:34 0 d-------- C:\Program Files\Common Files
2008-05-12 14:20:00 0 d-------- C:\Documents and Settings\mambodin\Application Data\Sony
2008-05-06 10:34:30 0 d-------- C:\Program Files\Apple Software Update
2008-04-28 03:16:36 0 d-------- C:\Documents and Settings\mambodin\Application Data\Adobe
2008-04-20 23:28:14 0 d-------- C:\Program Files\DivX
2008-04-19 07:20:22 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-19 06:27:38 0 d-------- C:\Program Files\Creative
2008-04-19 04:50:32 0 d-------- C:\Program Files\Common Files\xxx
2008-04-18 15:30:01 0 d-------- C:\Documents and Settings\mambodin\Application Data\Move Networks
2008-04-18 14:00:58 0 d-------- C:\Documents and Settings\mambodin\Application Data\Skype
2008-04-18 13:59:59 0 d-------- C:\Documents and Settings\mambodin\Application Data\skypePM
2008-04-18 12:47:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-18 03:31:16 0 d-------- C:\Program Files\Common Files\Adobe AIR
2008-04-15 18:03:22 5433 --a----c- C:\WINDOWS\mozver.dat
2008-04-14 17:53:31 0 d-------- C:\Program Files\Winamp
2008-04-09 15:04:58 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-09 13:49:53 0 d-------- C:\Program Files\Bonjour
2008-04-09 13:42:00 0 d-------- C:\Documents and Settings\mambodin\Application Data\Macromedia
2008-04-07 19:34:18 0 d-------- C:\Documents and Settings\mambodin\Application Data\Real
2008-04-07 18:31:13 0 d-------- C:\Program Files\QuickTime
2008-04-04 12:37:05 4212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-04-01 05:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-04-01 05:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-04-01 05:25:46 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-04-01 05:25:46 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-04-01 05:25:46 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-03-26 14:45:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 12:00:53 0 d-------- C:\Program Files\mIRC
2008-03-25 03:45:57 0 d-------- C:\Program Files\Java
2008-03-22 04:30:08 3596288 --a----c- C:\WINDOWS\system32\qt-dx331.dll
2008-03-22 04:28:54 196608 --a----c- C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-22 04:28:54 81920 --a----c- C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-22 04:28:20 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-22 01:51:04 0 d-------- C:\Documents and Settings\mambodin\Application Data\CmapTools
2008-03-01 01:59:04 80 --ah----- C:\WINDOWS\system32\HsInfo.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
12/15/2007 12:12 PM 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [12/15/2007 12:12 PM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [12/10/2005 10:57 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/11/2005 03:30 PM]
"Creative Mouse Software"="C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe" [01/27/2005 11:24 AM]
"Creative Mouse Software 1"="C:\Program Files\Creative\Input Devices\MOUSE\CTPoint.exe" [02/17/2005 01:17 PM]
"Creative Keyboard Software"="C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe" [01/27/2005 11:24 AM]
"Creative Keyboard Software 1"="C:\Program Files\Creative\Input Devices\Keyboard\CTType.exe" [02/17/2005 01:09 PM]
"Cmaudio"="cmicnfg.cpl" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [02/14/2007 11:15 AM]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [11/04/2005 06:07 PM]
"CTHelper"="CTHELPER.EXE" [12/12/2006 10:46 AM C:\WINDOWS\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [12/12/2006 10:46 AM C:\WINDOWS\system32\Ctxfihlp.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 01:00 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"Acrobat Assistant 8.0"="D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [10/22/2006 11:24 PM]
"LiveUpdate"="C:\Program Files\Samsung\Samsung PC Studio 3\\Update\Copyer.exe" [04/09/2008 07:00 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41 AM]
"nwiz"="nwiz.exe" [12/05/2007 01:41 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 01:41 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/10/2008 01:40 PM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [04/10/2008 03:14 PM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [02/08/2008 06:36 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/14/2004 12:24 AM]
"NudgeMania"="C:\Program Files\NudgeMania\NudgeMania.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 PM]
"Internet Download Accelerator"="d:\Program Files\IDA\ida.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FFTI"=C:\Documents and Settings\mambodin\Application Data\Mozilla\Firefox\Profiles\9868ho1j.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\mambodin\Application Data\Mozilla\Firefox\Profiles/9868ho1j.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"




-- End of Deckard's System Scanner: finished at 2008-05-19 21:24:52 ------------

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:24 AM

Posted 19 May 2008 - 08:31 AM

Your logs are looking good to me! :)


Just a few last things and you should be good to go! :thumbsup:


First, your log shows that you don't have the recovery console installed.
Check this link for more info on the recovery console and how to get it installed.

How to install and use the Windows XP Recovery Console



===================



Next, let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 mercurion

mercurion
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 19 May 2008 - 08:34 AM

Thx :D

check your mail ive sent a lil donation for your help

Edited by mercurion, 19 May 2008 - 08:36 AM.


#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:24 AM

Posted 19 May 2008 - 05:34 PM

Thank you! :thumbsup:
Very much appreciated!
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:24 AM

Posted 13 June 2008 - 02:36 PM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users