Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo.generic


  • This topic is locked This topic is locked
13 replies to this topic

#1 Twinmum

Twinmum

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:33 PM

Posted 18 May 2008 - 05:39 PM

My E-Trust software keeps popping up (about every 30-40 minutes or so - sometimes longer) with a message that it has found vundo generic and that it has been deleted. The actual file always has a different name, but is always in the windows/system32 folder. When I search this folder the file no longer exists.
Obviously Vet is stopping it from doing any harm (well I hope that's the case) but it can't seem to remove it completely.

I ran dss and it ran a clone of HijackThis ( I was too slow getting to the computer to click yes) The results of that follow.
Thanks in advance for any help with this,
Norma

Deckard's System Scanner v20071014.68
Run by Norma on 2008-05-19 08:09:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 4 Restore Point(s) --
4: 2008-05-18 12:56:39 UTC - RP319 - Deckard's System Scanner Restore Point
3: 2008-05-16 14:03:35 UTC - RP318 - Software Distribution Service 3.0
2: 2008-05-13 22:48:38 UTC - RP317 - Software Distribution Service 3.0
1: 2008-05-11 13:40:31 UTC - RP316 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-19 08:13:05
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\eTrust Vet Antivirus\iSafe.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRid.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
C:\Program Files\Sony\SonicStage\SSAAD.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Documents and Settings\Norma\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toadgames.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {FA8BE6D5-40E0-48B8-B317-18A4A590918A} - C:\WINDOWS\system32\geBuUkhh.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Vet Start Up] C:\VET\VETNT.EXE /PROGRESSIVE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1535.exe 61A847B5BBF7281337983D466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Policies\Explorer\Run: [{F8555B49-0BB8-1033-1014-050505040001}] "C:\Program Files\Common Files\{F8555B49-0BB8-1033-1014-050505040001}\Update.exe" mc-110-12-0000272
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} () - http://locator1.cdn.imagesrvr.com/sites/er...easeInstall.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{2208F4A7-2203-4627-AB3D-80711E1A7157}: NameServer = 203.88.240.88,203.88.255.99
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: geBuUkhh - C:\WINDOWS\system32\geBuUkhh.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\iSafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe


--
End of file - 11404 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver UltraDev\Configuration\Resources.dll,2
.js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver UltraDev\UltraDev.exe" %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sisidex - c:\windows\system32\drivers\sisidex.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R0 sisperf (Add Performance Filter Driver) - c:\windows\system32\drivers\sisperf.sys <Not Verified; Silicon Integrated Systems Corp.; SiS Filer Driver>
R1 VETFDDNT (VET Floppy Boot Sector Monitor) - c:\windows\system32\drivers\vetfddnt.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R1 VET-FILT (VET File System Filter) - c:\windows\system32\drivers\vet-filt.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R1 VETMONNT (VET File Monitor) - c:\windows\system32\drivers\vetmonnt.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R1 VET-REC (VET File System Recognizer) - c:\windows\system32\drivers\vet-rec.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
R2 athsgt - c:\windows\system32\drivers\athsgt.sys
R2 Fallback - c:\windows\system32\drivers\fallback.sys <Not Verified; Conexant; SoftK56>
R2 Fsks - c:\windows\system32\drivers\fsksnt.sys <Not Verified; Conexant; SoftK56>
R2 K56 - c:\windows\system32\drivers\k56nt.sys <Not Verified; Conexant; SoftK56>
R2 limsgt - c:\windows\system32\drivers\limsgt.sys
R2 SoftFax - c:\windows\system32\drivers\faxnt.sys <Not Verified; Conexant; SoftK56>
R2 Tones - c:\windows\system32\drivers\tonesnt.sys <Not Verified; Conexant; SoftK56>
R2 V124 - c:\windows\system32\drivers\v124nt.sys <Not Verified; Conexant; SoftK56>
R3 basic2 - c:\windows\system32\drivers\basic2.sys <Not Verified; Conexant; SoftK56>
R3 Rksample - c:\windows\system32\drivers\rksample.sys <Not Verified; Conexant; SoftK56>
R3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys <Not Verified; Conexant; SoftK56>

S3 CnxTrLan (NetComm USB Network Adapter Driver) - c:\windows\system32\drivers\cnxtrlan.sys <Not Verified; Conexant; Conexant USB Network Device>
S3 CnxTrUsb (NetComm USB Network Interface Device Driver) - c:\windows\system32\drivers\cnxtrusb.sys <Not Verified; Conexant; Conexant USB Network Device>
S3 hp4200c (%usbscan.SvcDesc%) - c:\windows\system32\drivers\hp4200c.sys <Not Verified; Hewlett-Packard; Windows ® 2000 driver>
S3 LTower (LEGO USB Tower Driver) - c:\windows\system32\drivers\ltower.sys <Not Verified; The LEGO Group; LEGO USB Tower Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6300
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia 6300
Device ID: ROOT\WPD\0001
Manufacturer: Nokia
Name: Nokia 6300
PNP Device ID: ROOT\WPD\0001
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-05-18 23:30:02 254 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job


-- Files created between 2008-04-19 and 2008-05-19 -----------------------------

2008-05-18 15:16:18 0 d-------- C:\Documents and Settings\Samantha\Application Data\PlayFirst
2008-05-17 20:01:54 0 d-------- C:\Documents and Settings\Samantha\Saved Games
2008-05-17 20:01:54 0 d-------- C:\Documents and Settings\Samantha\Application Data\FloodLightGames
2008-05-17 19:46:02 0 d-------- C:\Documents and Settings\Norma\Saved Games
2008-05-17 19:46:02 0 d-------- C:\Documents and Settings\Norma\Application Data\FloodLightGames
2008-05-17 19:46:02 0 d-------- C:\Documents and Settings\All Users\Application Data\FloodLightGames
2008-05-17 19:44:45 0 d-------- C:\Program Files\Death on the Nile
2008-05-17 16:19:51 0 d-------- C:\Documents and Settings\Katie\Application Data\PlayFirst
2008-05-17 15:02:24 0 d-------- C:\Program Files\Dream Chronicles 2 - The Eternal Maze
2008-05-17 13:41:06 37376 --a------ C:\WINDOWS\17PHolmes1535.exe
2008-05-17 13:40:38 45056 --a------ C:\WINDOWS\system32\qoMgDwxu.dll
2008-05-17 13:38:26 45056 --a------ C:\WINDOWS\system32\ddcDSijI.dll
2008-05-17 13:36:44 45056 --a------ C:\WINDOWS\system32\geBuUkhh.dll
2008-05-16 19:00:09 0 d-------- C:\Documents and Settings\Norma\Application Data\PlayFirst
2008-05-16 19:00:09 0 d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-05-16 18:59:41 0 d-------- C:\Program Files\Dream Chronicles
2008-05-16 16:46:00 0 d-------- C:\Documents and Settings\Samantha\Application Data\Big Fish Games
2008-05-16 11:44:42 0 d-------- C:\Program Files\collection studio
2008-05-15 23:24:26 0 d-------- C:\Documents and Settings\Norma\Application Data\Big Fish Games
2008-05-15 23:23:43 0 d-------- C:\Program Files\Azada
2008-05-04 21:57:30 0 d-------- C:\Documents and Settings\Norma\Application Data\Morpheus
2008-05-03 12:10:39 0 d-------- C:\Documents and Settings\Ashlee\Application Data\HPAppData
2008-04-25 14:10:43 0 d-------- C:\Documents and Settings\Samantha\Application Data\HPAppData
2008-04-23 12:29:58 0 d-------- C:\Documents and Settings\Samantha\Contacts


-- Find3M Report ---------------------------------------------------------------

2008-05-17 16:15:59 0 d-------- C:\Program Files\Steam
2008-05-17 12:55:18 0 d-------- C:\Program Files\Morpheus
2008-05-15 14:19:26 0 d-------- C:\Documents and Settings\Norma\Application Data\ZoomBrowser EX
2008-05-11 22:31:52 0 d-------- C:\Documents and Settings\Norma\Application Data\AdobeUM
2008-04-23 21:27:38 0 d-------- C:\Documents and Settings\Norma\Application Data\Nikon
2008-04-23 21:27:35 0 d-------- C:\Program Files\Common Files\Nikon
2008-04-23 08:06:19 143504 --a------ C:\WINDOWS\hpoins16.dat
2008-04-18 23:33:58 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-18 23:33:42 0 d-------- C:\Program Files\Windows Live
2008-04-18 15:45:39 0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-18 15:42:05 0 d-------- C:\Program Files\Windows Live Toolbar
2008-04-18 15:41:38 0 d-------- C:\Program Files\Windows Live Favorites
2008-04-18 15:29:18 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-18 15:23:06 0 d-------- C:\Program Files\Common Files
2008-04-15 14:40:56 0 d-------- C:\Program Files\MessengerPlus! 3
2008-04-14 14:42:05 0 d-------- C:\Documents and Settings\Norma\Application Data\HP
2008-04-14 11:47:46 0 d-------- C:\Documents and Settings\Norma\Application Data\HPAppData
2008-04-14 09:37:18 0 d-------- C:\Program Files\HP
2008-04-14 09:35:04 0 d-------- C:\Program Files\Common Files\HP
2008-04-13 22:53:37 0 d-------- C:\Program Files\Riven
2008-04-13 20:41:43 347029 --a------ C:\Documents and Settings\Norma\Application Data\NMM-MetaData.db
2008-04-03 17:02:22 0 d-------- C:\Program Files\RootsMagic
2008-03-27 08:32:13 0 d--h----- C:\Program Files\CanonBJ
2008-03-27 08:16:56 0 d-------- C:\Program Files\Canon
2008-03-26 11:29:47 0 d-------- C:\Program Files\EA GAMES
2008-03-20 18:00:17 0 d-------- C:\Documents and Settings\Norma\Application Data\Adobe
2008-03-19 15:02:20 0 d-------- C:\Program Files\Java


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
03/02/2007 04:52 PM 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
03/02/2007 04:52 PM 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA8BE6D5-40E0-48B8-B317-18A4A590918A}]
05/17/2008 01:36 PM 45056 --a------ C:\WINDOWS\system32\geBuUkhh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [10/01/2004 10:00 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [10/01/2004 10:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [10/01/2004 10:00 PM]
"SoundMan"="SOUNDMAN.EXE" [03/24/2005 09:20 PM C:\WINDOWS\SOUNDMAN.EXE]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [07/12/2002 05:15 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [03/09/2006 05:29 PM]
"nwiz"="nwiz.exe" [03/09/2006 05:29 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [03/09/2006 05:29 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 09:42 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"Vet Start Up"="C:\VET\VETNT.exe" []
"CaAvTray"="C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe" [06/15/2006 06:39 PM]
"CAVRID"="C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe" [06/15/2006 06:39 PM]
"hplampc"="C:\WINDOWS\system32\hplampc.exe" [01/17/2002 10:40 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 03:25 AM]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [09/28/2006 01:16 PM]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [10/11/2006 12:45 PM]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [01/07/2006 01:36 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/31/2008 10:13 PM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [03/23/2007 12:20 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [03/11/2007 09:34 PM]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [04/15/2008 02:40 PM]
"runner1"="C:\WINDOWS\mrofinu1535.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [10/01/2004 10:00 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 03:45 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [6/16/2006 5:53:51 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [3/11/2007 9:26:24 PM]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [12/27/2007 10:27:31 AM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [1/14/2007 8:27:39 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{F8555B49-0BB8-1033-1014-050505040001}"="C:\Program Files\Common Files\{F8555B49-0BB8-1033-1014-050505040001}\Update.exe" mc-110-12-0000272

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA8BE6D5-40E0-48B8-B317-18A4A590918A}"= C:\WINDOWS\system32\geBuUkhh.dll [05/17/2008 01:36 PM 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBuUkhh]
geBuUkhh.dll 05/17/2008 01:36 PM 45056 C:\WINDOWS\system32\geBuUkhh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Norma^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Norma\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc




-- End of Deckard's System Scanner: finished at 2008-05-19 08:14:32 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 1023.48 MiB / 579.14 MiB
Pagefile Memory (total/avail): 2459.56 MiB / 2152.02 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1916.55 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 149.04 GiB total, 38.62 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1600BB-00GUC0 - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149.04 GiB - C:

\\.\PHYSICALDRIVE1 - Generic USB Storage-CFC USB Device

\\.\PHYSICALDRIVE4 - Generic USB Storage-MSC USB Device

\\.\PHYSICALDRIVE2 - Generic USB Storage-SDC USB Device

\\.\PHYSICALDRIVE3 - Generic USB Storage-SMC USB Device

\\.\PHYSICALDRIVE5 - HP Photosmart D5300 USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: eTrust Vet Antivirus v7.0.8.1 (Computer Associates)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:M5Shell"
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"="C:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe:*:Enabled:Rise of Nations"
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"="C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe:*:Enabled:Zoo Tycoon 2 Executable"
"C:\\Program Files\\FreshWebmaster\\FreshFTP\\freshftp.exe"="C:\\Program Files\\FreshWebmaster\\FreshFTP\\freshftp.exe:*:Enabled:freshftp"
"C:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"="C:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe:*:Enabled:Sid Meier's Railroads!"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Microsoft Games\\Age of Empires\\Empires.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires\\Empires.exe:*:Disabled:Age of Empires"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Norma\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Norma
LOGONSERVER=\\PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\NVIDIA Corporation\NVIDIA DDS Utilities;C:\PROGRA~1\MICROS~2\Office;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Norma\LOCALS~1\Temp
TMP=C:\DOCUME~1\Norma\LOCALS~1\Temp
USERDOMAIN=PC
USERNAME=Norma
USERPROFILE=C:\Documents and Settings\Norma
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Norma (admin)
Dad (admin)
Katie (admin)
Samantha (admin)
Ashlee (admin)
xx mums TSRAA sims (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\system32\UninstIPP.isu
--> Dummy
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88E5FCB8-5F25-11D5-B16F-0800460222F0}\setup.exe" -l0x9 UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D76298C2-E532-4A11-BCFF-76F3F19DA84D}\setup.exe" UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{329899E1-CBBA-49BC-9FFE-199E94316727}\setup.exe" -l0x9 -removeonly
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP CIO Components Installer --> MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
80 Days --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAB93AAF-0FCC-4023-AE84-F20C16DCC171}\setup.exe" -l0x9 -removeonly
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop 6.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 6.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 6.0\Uninst.dll"
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe SVG Viewer --> C:\WINDOWS\IsUninst.exe -f"C:\WINDOWS\System32\Adobe\SVG Viewer\Uninst.isu"
Ambush Pack 1.00 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks Deluxe\Pocket Tanks Deluxe\unins000.exe"
AnalogX Capture --> C:\Program Files\AnalogX\Capture\captureu.exe
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ArcSoft Panorama Maker 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5F68DC8-0278-4AD8-B413-861509B5F25B}\Setup.exe" -l0x9
ArcSoft PhotoStudio 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85309D89-7BE9-4094-BB17-24999C6118FC}\SETUP.EXE" -l0x9
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon CanoScan Toolbox 5.0 --> "C:\Program Files\Canon\CanoScan Toolbox Ver5.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\CanoScan Toolbox Ver5.0\uninst.ini
Canon EOS 5D WIA Driver --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BB3AB664-D92B-4CB5-8B3E-D841841F4E68} /l1033
Canon MP160 --> "C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160 /L0x0009
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon Utilities CameraWindow --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowLauncher\Uninst.ini"
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Utilities Digital Photo Professional 3.2 --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\Digital Photo Professional\Uninst.ini"
Canon Utilities Easy-PhotoPrint EX --> C:\Program Files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities MyCamera --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\MyCamera\Uninst.ini"
Canon Utilities Original Data Security Tools --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\Original Data Security Tools\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities Picture Style Editor --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\Picture Style Editor\Uninst.ini"
Canon Utilities RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities WFT-E1/E2/E3 Utility --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\WFT Utility\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
Canon ZoomBrowser EX Memory Card Utility --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX MCU\Uninst.ini"
CanoScan LiDE 70 --> "C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ2411\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ2411 /L0x0009
CEP - Color Enable Package --> "C:\PROGRA~1\EAGAME~1\zCEP_Uninstaller\unins000.exe"
Chaos Pack 1.00 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks Deluxe\unins001.exe"
Collection Studio --> C:\Program Files\Collection Studio\Uninstall.exe
Creative Memories Memory Manager 2 (International) --> MsiExec.exe /I{0F1A3568-7419-4115-A207-512B9F688267}
Death on the Nile --> C:\Program Files\Death on the Nile\Uninstal.exe
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
e-tax 2006 --> C:\etax2006\e-tax 2006_uninstall.exe
eTrust Vet Antivirus --> C:\WINDOWS\unvet32.exe
Family History Resource File Viewer 4.0 --> MsiExec.exe /I{C08C47C2-E9EF-4357-B8FD-AD90FD2EF791}
FileZilla (remove only) --> "C:\Program Files\FileZilla\uninstall.exe"
Fireworks Pack v1.0 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks Deluxe\unins002.exe"
Fish Tycoon 1.0 --> C:\Program Files\Fish Tycoon\uninst.exe
Flamethrower Pack 1.00a for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks Deluxe\Pocket Tanks Deluxe\unins001.exe"
GameSpy Arcade --> C:\PROGRA~1\GAMESP~1\UNWISE.EXE C:\PROGRA~1\GAMESP~1\INSTALL.LOG
Highlight Viewer (Windows Live Toolbar) --> MsiExec.exe /X{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Customer Participation Program 9.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Imaging Device Functions 9.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential 2.01 --> C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat
HP Photosmart Printer Software 9.0 --> C:\Program Files\HP\Digital Imaging\{47253C9A-7269-4be7-8BFE-50470F6897FE}\setup\hpzscr01.exe -datfile hposcr16.dat
HP PrecisionScan LT Software --> C:\SCANJET\PrecisionScanLT\uninstal.exe C:\SCANJET\PrecisionScanLT\uninstal.cfg
HP Smart Web Printing --> MsiExec.exe /X{415CDA53-9100-476F-A7B2-476691E117C7}
HP Solution Center 9.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
HPSSupply --> MsiExec.exe /X{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LiveUpdate BVRP Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe" -l0x9
Living Cookbook --> MsiExec.exe /X{F678343D-CDCD-41F5-A638-6FE502C76CB7}
Macromedia Dreamweaver UltraDev --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Macromedia\Dreamweaver UltraDev\UltraDev Uninst.isu"
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
MailWasher Free --> "C:\Program Files\MailWasher\unins000.exe"
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
Messenger Plus! 3 --> "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /Remove
Microsoft Age of Empires --> C:\Program Files\Microsoft Games\Age of Empires\Uninstal.exe /uninstall
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Publisher 98 --> C:\Program Files\Microsoft Office\Office\Setup\Setup.exe /m
Microsoft Rise Of Nations --> "C:\Program Files\Microsoft Games\Rise of Nations\UNINSTAL.EXE" /runtemp /addremove
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft User-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
MilkShape 3D 1.7.10 --> "C:\Program Files\MilkShape 3D 1.7.10\uninstall.exe"
mobile PhoneTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F18E8A0F-BE99-4305-96A5-6C0FD9D7D999}\setup.exe" -l0x9
Morpheus 5.2 (remove only) --> "C:\Program Files\Morpheus\UninstMorpheus.exe"
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSVC80_x86 --> MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Nero Digital --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NetComm NB1300 USB Network Adapter --> C:\Program Files\NetComm\NetComm USB Network\CnxUnist.exe -w7 NetComm\NetComm USB Network
Nikon Message Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\Setup.exe" -l0x9 UNINSTALL
Nokia Connectivity Cable Driver --> MsiExec.exe /X{0A3D3C54-2EC0-4D67-B265-FF17926E6D67}
Nokia PC Suite --> C:\Documents and Settings\All Users\Application Data\Installations\{57A48477-92F0-4C1F-ADF9-4806C4EC3CF2}\Nokia_PC_Suite_683_rel_14_1_APAC.exe /LANG="2057"
Nokia PC Suite --> MsiExec.exe /I{57A48477-92F0-4C1F-ADF9-4806C4EC3CF2}
NVIDIA DDS Utilities --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{64963F0E-03F2-4B59-8D1B-1806545E7092}\Setup.exe" -l0x9
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OpenMG Limited Patch 4.4-06-13-19-01 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix4.4-06-13-19-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 4.4.00 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{CFB17307-B244-4EAD-AE8E-CDAF440477C2} UNINSTALL
ParLoc --> C:\Program Files\ParLoc\uninstall.exe
PC Connectivity Solution --> MsiExec.exe /I{BA084E7C-8ABA-4670-BDE8-B85E689A5C1B}
Photomatix Pro version 2.5.4 --> "C:\Program Files\Photomatix\unins000.exe"
PhotoViewer 2.4 --> "C:\Program Files\PhotoViewer\uninstall.exe"
PictureProject --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF3999BE-1A7B-4738-88AA-97BF14094A4A}\Setup.exe" -l0x9 UNINSTALL
Pirates of the Caribbean --> MsiExec.exe /I{9D9A73EA-B2D5-42CF-BB54-5CC4D9F08134}
Pocket Tanks Deluxe 1.00b --> "C:\Program Files\Pocket Tanks Deluxe\unins000.exe"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Presto! Mr. Photo 2.1 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\NewSoft\MrPhoto2\DeIsL1.isu"
Presto! PageManager 7.15.14 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}\PMSetup.exe" -l0x9 anything -removeonly
Presto! PhotoAlbum --> C:\WINDOWS\uninst.exe -f"C:\Program Files\NewSoft\PhotoAlbum\DeIsL1.isu"
Presto! PhotoComposer --> C:\WINDOWS\uninst.exe -f"C:\Program Files\NewSoft\Compnent\DeIsL1.isu"
Presto! PhotoDesigner1.0 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\NewSoft\PhotoDesigner\DeIsL1.isu"
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Recipe Database (remove only) --> C:\Program Files\HMCsoft\RDB\uninstall_rdb.exe
RootsMagic 2.0 --> MsiExec.exe /I{2C658A49-5C53-46CE-A3D6-150AA0E91101}
ScanSoft OmniPage SE 4.0 --> MsiExec.exe /I{C1E693A4-B1D5-4DCD-B68D-2087835B7184}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Sid Meier's Railroads! --> C:\Program Files\InstallShield Installation Information\{EE3FBD3C-782E-4A90-9507-0ECFE1FECCE4}\setup.exe -runfromtemp -l0x0009 -removeonly
SimCity 4 --> C:\Program Files\Maxis\SimCity 4\EAUninstall.exe
SimPE 0.60b (alpha) --> "C:\Program Files\SimPE\unins001.exe"
SimPE PhotoStudio Templates 3.0 --> "C:\WINDOWS\unins000.exe"
Sims 2 Categorizer --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Sims 2 Categorizer\ST6UNST.LOG"
Sims2Pack Clean Installer --> C:\Program Files\Sims2Pack Clean Installer\uninstall.exe
SiS 900 PCI Fast Ethernet Adapter Driver --> C:\Progra~1\SiSLan\Uninst.exe
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
SmartSound Quicktracks Plugin --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
SonicStage 3.4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0EB195B-5876-48E6-879D-33D4B2102610}\setup.exe" -l0x9 UNINSTALL -removeonly
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
The Da Vinci Code --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{851367C1-2F9F-4087-B3E8-8DECFE328370}\setup.exe" -l0x9 -removeonly
The Ship --> "C:\PROGRA~1\Steam\steam.exe" steam://uninstall/2400
The Ship Single Player --> "C:\PROGRA~1\Steam\steam.exe" steam://uninstall/2420
The Ship Tutorial --> "C:\PROGRA~1\Steam\steam.exe" steam://uninstall/2430
The Sims 2 --> C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
The Sims 2 Family Fun Stuff --> C:\Program Files\EA GAMES\The Sims 2 Family Fun Stuff\EAUninstall.exe
The Sims 2 Glamour Life Stuff --> C:\Program Files\EA GAMES\The Sims 2 Glamour Life Stuff\EAUninstall.exe
The Sims 2 HomeCrafter Plus --> C:\Program Files\EA GAMES\The Sims 2 HomeCrafter Plus\EAUninstall.exe
The Sims 2 Nightlife --> C:\Program Files\EA GAMES\The Sims 2 Nightlife\EAUninstall.exe
The Sims 2 Open For Business --> C:\Program Files\EA GAMES\The Sims 2 Open For Business\EAUninstall.exe
The Sims 2 Pets --> C:\Program Files\EA GAMES\The Sims 2 Pets\EAUninstall.exe
The Sims 2 University --> C:\Program Files\EA GAMES\The Sims 2 University\EAUninstall.exe
The Sims™ 2 Bon Voyage --> C:\Program Files\EA GAMES\The Sims 2 Bon Voyage\EAUninstall.exe
The Sims™ 2 FreeTime --> C:\Program Files\EA GAMES\The Sims 2 FreeTime\EAUninstall.exe
The Sims™ 2 Seasons --> C:\Program Files\EA GAMES\The Sims 2 Seasons\EAUninstall.exe
TRS2006 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5ED9E38C-9A96-49D8-89B3-92E278003FCF}\Setup.exe" -l0x9
TSR Wizard Manager --> MsiExec.exe /I{FD78E9A3-0016-4F5E-900F-FFFB5DC1835E}
Turbo Lister 2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{69640730-B830-4C24-BB5C-222DA1260548}
Ulead VideoStudio 8.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F1DA6BF-3614-48A1-9970-9E90F646789E}\setup.exe" -l0x9
USB Dual Vibration Joystick --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C80BDCC8-2858-436D-BD9F-F34E30B77755}\setup.exe" -l0x9
UVMapper Professional Demo 3.2a --> "C:\Program Files\UVMapper Professional Demo\unins000.exe"
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_4EFFAAE27A08EDFDE145390033D8EF099DA65567\nokbtmdm.inf
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail --> MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Photo Gallery --> MsiExec.exe /X{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
Windows Live Writer --> MsiExec.exe /X{9176251A-4CC1-4DDB-B343-B487195EB397}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Zoo Tycoon 2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{AD0DA83A-D62C-443B-8C3B-D7B2356FC229}


-- Application Event Log -------------------------------------------------------

Event Record #/Type842 / Success
Event Submitted/Written: 05/18/2008 06:00:59 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type828 / Success
Event Submitted/Written: 05/18/2008 09:11:43 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type813 / Success
Event Submitted/Written: 05/17/2008 07:59:00 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type801 / Success
Event Submitted/Written: 05/17/2008 04:16:43 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type799 / Error
Event Submitted/Written: 05/17/2008 00:55:56 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application morpheus.exe, version 1.0.0.1, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [morpheus.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type77220 / Error
Event Submitted/Written: 05/19/2008 07:58:29 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type77190 / Error
Event Submitted/Written: 05/18/2008 09:35:55 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type77153 / Error
Event Submitted/Written: 05/18/2008 05:59:11 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type77141 / Warning
Event Submitted/Written: 05/18/2008 11:05:26 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type77119 / Error
Event Submitted/Written: 05/18/2008 09:10:16 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).



-- End of Deckard's System Scanner: finished at 2008-05-19 08:14:32 ------------

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:33 AM

Posted 19 May 2008 - 07:29 AM

Hello Twinmum and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Twinmum

Twinmum
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:33 PM

Posted 19 May 2008 - 05:09 PM

Thanks for taking the time to help Thunder. I happy to say that between posting my question and coming back here, I think I have resolved the problem.
I was happy to just wait for help here, when suddenly yesterday I get pop-ups telling me the license for my anti-virus software has suddenly expired. This was of some concern, as I pay annually in December. I rang the company thinking it may have something to do with that little nasty, but it turned out that the software had been completely updated and I needed to remove the old version and install the new (I must have missed the notification that I would have to do it by yesterday) So that solved that.
So I thought while I had them on the phone, I'd ask about the other. The technician I spoke to had me do all the things you suggested I do (cleaning out the cache etc) plus something in the java console. Then I put the new software in and did a complete system scan. 4 additional files were found and cleaned or removed. Since then I have had no pop-ups saying the vundo .generic is there (had no pop-ups at all ) The computer had run for several hours yesterday and has been on for about an hour today and still appears clean.

Norma

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:33 AM

Posted 20 May 2008 - 04:59 AM

Glad to hear that, Norma :thumbsup:

If however you want to make sure those different infections are gone,
you can still run the ComboFix procedure and post your log.

I'll look it over, hopefully to confirm everything is fine now. :)

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u6.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windowsi586-p.exe to install the newest version.
Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Twinmum

Twinmum
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:33 PM

Posted 21 May 2008 - 05:39 AM

Again, thank you for your time Thunder. I updated the Java Runtime and also ran the ComboFix (report follows)
It actually deleted some files, so do I take it that there were still some undesirable files on the computer?
Also, is ComboFix something I should run on a regular basis to check for problem files I may be unaware of?

Norma


[HKLM\~\startupfolder\C:^Documents and Settings^Norma^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Norma\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-28 15:14 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Morpheus\\Morpheus.exe"=
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"C:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires\\Empires.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 athsgt;athsgt;C:\WINDOWS\system32\DRIVERS\athsgt.sys [2007-06-20 13:54]
R2 limsgt;limsgt;C:\WINDOWS\system32\DRIVERS\limsgt.sys [2007-06-20 13:54]
S3 hp4200c;%usbscan.SvcDesc%;C:\WINDOWS\system32\DRIVERS\hp4200c.sys [2001-02-18 10:09]
S3 LTower;LEGO USB Tower Driver;C:\WINDOWS\system32\Drivers\LTower.sys [2001-04-25 16:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-05-21 09:30:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 20:17:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-05-21 20:28:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-21 10:28:23

Pre-Run: 41,055,883,264 bytes free
Post-Run: 43,299,225,600 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

242 --- E O F --- 2008-05-16 14:05:04

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:33 AM

Posted 21 May 2008 - 07:11 AM

Hello Norma,

It actually deleted some files, so do I take it that there were still some undesirable files on the computer?

That's correct :thumbsup:

Also, is ComboFix something I should run on a regular basis to check for problem files I may be unaware of?

NO, Norma !
ComboFix should never be used without supervision from a qualified Helper :)

You posted only the last part of the ComboFix log.
Would you mind posting the entire log please ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 Twinmum

Twinmum
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:33 PM

Posted 21 May 2008 - 08:23 AM

You posted only the last part of the ComboFix log.
Would you mind posting the entire log please ?


oops, try this

ComboFix 08-05-20.5 - Norma 2008-05-21 20:01:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.581 [GMT 10:00]
Running from: C:\Documents and Settings\Norma\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Norma\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\{F8555~1
C:\Program Files\Common Files\{F8555~1\services.dll
C:\WINDOWS\BMfb66687a.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\components
C:\WINDOWS\system32\ddcDSijI.dll
C:\WINDOWS\system32\DehOrBeg.ini
C:\WINDOWS\system32\DehOrBeg.ini2
C:\WINDOWS\system32\geBuUkhh.dll
C:\WINDOWS\system32\lcpdkqlh.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\owxwpagm.ini
C:\WINDOWS\system32\qoMgDwxu.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-20 21:28 . 2008-05-20 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\JollyBear
2008-05-20 20:40 . 2008-05-20 20:55 880,432 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-05-20 20:40 . 2008-05-20 20:55 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-05-20 20:40 . 2008-03-11 01:46 91,400 --a------ C:\WINDOWS\system32\isafprod.dll
2008-05-20 20:40 . 2008-03-11 01:46 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-05-20 20:40 . 2008-03-11 01:46 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-05-20 20:40 . 2008-03-11 01:46 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-05-20 20:40 . 2008-03-11 01:46 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-05-20 17:56 . 2008-05-20 17:56 <DIR> d-------- C:\Documents and Settings\Ashlee\Application Data\Big Fish Games
2008-05-19 17:27 . 2008-05-19 17:27 <DIR> d-------- C:\Program Files\CA
2008-05-19 17:27 . 2008-03-11 01:46 99,592 --a------ C:\WINDOWS\system32\isafeif.dll
2008-05-19 17:27 . 2008-03-11 01:46 83,256 --a------ C:\WINDOWS\system32\vetredir.dll
2008-05-19 16:41 . 2008-05-20 20:38 <DIR> d-------- C:\Documents and Settings\Norma\Application Data\GetRightToGo
2008-05-18 22:56 . 2008-05-18 22:56 <DIR> d-------- C:\Deckard
2008-05-18 15:16 . 2008-05-18 16:51 <DIR> d-------- C:\Documents and Settings\Samantha\Application Data\PlayFirst
2008-05-17 20:01 . 2008-05-17 20:01 <DIR> d-------- C:\Documents and Settings\Samantha\Saved Games
2008-05-17 20:01 . 2008-05-17 20:01 <DIR> d-------- C:\Documents and Settings\Samantha\Application Data\FloodLightGames
2008-05-17 19:46 . 2008-05-17 19:46 <DIR> d-------- C:\Documents and Settings\Norma\Saved Games
2008-05-17 19:46 . 2008-05-17 19:46 <DIR> d-------- C:\Documents and Settings\Norma\Application Data\FloodLightGames
2008-05-17 19:46 . 2008-05-17 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FloodLightGames
2008-05-17 19:44 . 2008-05-17 20:01 <DIR> d-------- C:\Program Files\Death on the Nile
2008-05-17 16:19 . 2008-05-17 16:19 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\PlayFirst
2008-05-17 15:02 . 2008-05-18 16:51 <DIR> d-------- C:\Program Files\Dream Chronicles 2 - The Eternal Maze
2008-05-17 13:41 . 2008-05-17 13:41 37,376 --a------ C:\WINDOWS\17PHolmes1535.exe
2008-05-16 19:00 . 2008-05-17 13:43 <DIR> d-------- C:\Documents and Settings\Norma\Application Data\PlayFirst
2008-05-16 19:00 . 2008-05-17 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-05-16 18:59 . 2008-05-18 15:16 <DIR> d-------- C:\Program Files\Dream Chronicles
2008-05-16 16:46 . 2008-05-16 16:46 <DIR> d-------- C:\Documents and Settings\Samantha\Application Data\Big Fish Games
2008-05-16 11:44 . 2008-05-16 11:45 <DIR> d-------- C:\Program Files\collection studio
2008-05-15 23:24 . 2008-05-15 23:24 <DIR> d-------- C:\Documents and Settings\Norma\Application Data\Big Fish Games
2008-05-15 23:23 . 2008-05-20 17:56 <DIR> d-------- C:\Program Files\Azada
2008-05-10 14:16 . 2008-05-10 14:16 5,120 --------- C:\WINDOWS\system32\Thumbs.db
2008-05-04 21:57 . 2008-05-04 21:57 <DIR> d-------- C:\Documents and Settings\Norma\Application Data\Morpheus
2008-05-03 12:10 . 2008-05-03 12:10 <DIR> d-------- C:\Documents and Settings\Ashlee\Application Data\HPAppData
2008-04-25 14:10 . 2008-04-25 14:10 <DIR> d-------- C:\Documents and Settings\Samantha\Application Data\HPAppData
2008-04-23 19:00 . 2008-04-23 19:00 268 --ah----- C:\sqmdata01.sqm
2008-04-23 19:00 . 2008-04-23 19:00 244 --ah----- C:\sqmnoopt01.sqm
2008-04-23 12:29 . 2008-04-23 12:29 <DIR> d-------- C:\Documents and Settings\Samantha\Contacts
2008-04-21 10:36 . 2008-04-21 10:36 268 --ah----- C:\sqmdata00.sqm
2008-04-21 10:36 . 2008-04-21 10:36 244 --ah----- C:\sqmnoopt00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 09:26 --------- d-----w C:\Program Files\Java
2008-05-20 08:47 --------- d-----w C:\Documents and Settings\Norma\Application Data\ZoomBrowser EX
2008-05-20 08:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-05-20 06:48 --------- d-----w C:\Program Files\Steam
2008-05-17 02:55 --------- d-----w C:\Program Files\Morpheus
2008-05-11 12:31 --------- d-----w C:\Documents and Settings\Norma\Application Data\AdobeUM
2008-04-23 11:27 --------- d-----w C:\Program Files\Common Files\Nikon
2008-04-23 11:27 --------- d-----w C:\Documents and Settings\Norma\Application Data\Nikon
2008-04-23 11:25 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-04-23 11:25 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2008-04-18 13:33 --------- d-----w C:\Program Files\Windows Live
2008-04-18 13:33 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-18 05:45 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-18 05:42 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-04-18 05:41 --------- d-----w C:\Program Files\Windows Live Favorites
2008-04-18 05:29 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-18 05:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-15 04:40 --------- d-----w C:\Program Files\MessengerPlus! 3
2008-04-15 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-04-15 03:08 --------- d-----w C:\Documents and Settings\Dad\Application Data\HPAppData
2008-04-14 04:42 --------- d-----w C:\Documents and Settings\Norma\Application Data\HP
2008-04-14 01:47 --------- d-----w C:\Documents and Settings\Norma\Application Data\HPAppData
2008-04-13 23:41 --------- d-----w C:\Documents and Settings\LocalService\Application Data\HP
2008-04-13 23:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2008-04-13 23:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-04-13 23:37 --------- d-----w C:\Program Files\HP
2008-04-13 23:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-04-13 23:35 --------- d-----w C:\Program Files\Common Files\HP
2008-04-13 23:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-04-13 23:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-13 12:53 --------- d-----w C:\Program Files\Riven
2008-04-03 07:02 --------- d-----w C:\Program Files\RootsMagic
2008-03-28 23:13 --------- d-----w C:\Documents and Settings\Ashlee\Application Data\AdobeUM
2008-03-26 22:32 --------- d--h--w C:\Program Files\CanonBJ
2008-03-26 22:32 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-03-26 22:16 --------- d-----w C:\Program Files\Canon
2008-03-26 01:29 --------- d-----w C:\Program Files\EA GAMES
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42A05809-5227-43AA-AFC6-095FA0310381}]
C:\WINDOWS\system32\geBrOheD.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-10-01 22:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-10-01 22:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-10-01 22:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-10-01 22:00 455168]
"SoundMan"="SOUNDMAN.EXE" [2005-03-24 21:20 77824 C:\WINDOWS\SOUNDMAN.EXE]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 17:15 106496]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 17:29 7561216]
"nwiz"="nwiz.exe" [2006-03-09 17:29 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-09 17:29 86016]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 21:42 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"hplampc"="C:\WINDOWS\system32\hplampc.exe" [2002-01-17 10:40 40448]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 13:16 185896]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 12:45 75304]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 01:36 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 22:13 385024]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 12:20 227328]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2008-04-15 14:40 190024]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-04-10 00:06 181512]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-03-11 01:46 234760]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 14:58 1744896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-16 17:53:51 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-12-27 10:27:31 118784]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-01-14 08:27:39 389120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{F8555B49-0BB8-1033-1014-050505040001}"= "C:\Program Files\Common Files\{F8555B49-0BB8-1033-1014-050505040001}\Update.exe" mc-110-12-0000272

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gutadnne]
gutadnne.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0023290]
__c0023290.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Norma^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Norma\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-28 15:14 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Morpheus\\Morpheus.exe"=
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"C:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires\\Empires.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 athsgt;athsgt;C:\WINDOWS\system32\DRIVERS\athsgt.sys [2007-06-20 13:54]
R2 limsgt;limsgt;C:\WINDOWS\system32\DRIVERS\limsgt.sys [2007-06-20 13:54]
S3 hp4200c;%usbscan.SvcDesc%;C:\WINDOWS\system32\DRIVERS\hp4200c.sys [2001-02-18 10:09]
S3 LTower;LEGO USB Tower Driver;C:\WINDOWS\system32\Drivers\LTower.sys [2001-04-25 16:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-05-21 09:30:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 20:17:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-05-21 20:28:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-21 10:28:23

Pre-Run: 41,055,883,264 bytes free
Post-Run: 43,299,225,600 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

242 --- E O F --- 2008-05-16 14:05:04

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:33 AM

Posted 21 May 2008 - 04:12 PM

Hello Norma,

Let's clean up some more :thumbsup:

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
C:\Program Files\Common Files\{F8555B49-0BB8-1033-1014-050505040001}\Update.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42A05809-5227-43AA-AFC6-095FA0310381}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{F8555B49-0BB8-1033-1014-050505040001}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gutadnne]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0023290]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 Twinmum

Twinmum
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:33 PM

Posted 22 May 2008 - 04:09 AM

>Are you still having problems ?


Well I was going to say no because I haven't had any more pop-ups .. BUT...
a short time ago I came into the computer and one of my daughters hadn't logged out and there was a pop up there saying the vundo file had been found. I'm hoping I don't have to do all this on everyone's desktop seperately :thumbsup:

Anyway, I have run combofix again as you advised and then hijack this. Logs for both follow.

Norma


ComboFix 08-05-20.5 - Norma 2008-05-22 18:36:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.61.1033.18.565 [GMT 10:00]
Running from: C:\Documents and Settings\Norma\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Norma\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\Common Files\{F8555B49-0BB8-1033-1014-050505040001}\Update.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\17PHolmes1535.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-21 23:41 . 2008-05-21 23:41 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\HP
2008-05-20 21:28 . 2008-05-20 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\JollyBear
2008-05-20 20:40 . 2008-05-20 20:55 880,432 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-05-20 20:40 . 2008-05-20 20:55 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-05-20 20:40 . 2008-03-11 01:46 91,400 --a------ C:\WINDOWS\system32\isafprod.dll
2008-05-20 20:40 . 2008-03-11 01:46 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-05-20 20:40 . 2008-03-11 01:46 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-05-20 20:40 . 2008-03-11 01:46 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-05-20 20:40 . 2008-03-11 01:46 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-05-20 17:56 . 2008-05-20 17:56 <DIR> d-------- C:\Documents and Settings\Ashlee\Application Data\Big Fish Games
2008-05-19 17:27 . 2008-05-19 17:27 <DIR> d-------- C:\Program Files\CA
2008-05-19 17:27 . 2008-03-11 01:46 99,592 --a------ C:\WINDOWS\system32\isafeif.dll
2008-05-19 17:27 . 2008-03-11 01:46 83,256 --a------ C:\WINDOWS\system32\vetredir.dll
2008-05-19 16:41 . 2008-05-20 20:38 <DIR> d-------- C:\Documents and Settings\Norma\Application Data\GetRightToGo
2008-05-18 22:56 . 2008-05-18 22:56 <DIR> d-------- C:\Deckard
2008-05-18 15:16 . 2008-05-18 16:51 <DIR> d-------- C:\Documents and Settings\Samantha\Application Data\PlayFirst
2008-05-17 20:01 . 2008-05-17 20:01 <DIR> d-------- C:\Documents and Settings\Samantha\Saved Games
2008-05-17 20:01 . 2008-05-17 20:01 <DIR> d-------- C:\Documents and Settings\Samantha\Application Data\FloodLightGames
2008-05-17 19:46 . 2008-05-17 19:46 <DIR> d-------- C:\Documents and Settings\Norma\Saved Games
2008-05-17 19:46 . 2008-05-17 19:46 <DIR> d-------- C:\Documents and Settings\Norma\Application Data\FloodLightGames
2008-05-17 19:46 . 2008-05-17 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FloodLightGames
2008-05-17 19:44 . 2008-05-17 20:01 <DIR> d-------- C:\Program Files\Death on the Nile
2008-05-17 16:19 . 2008-05-17 16:19 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\PlayFirst
2008-05-17 15:02 . 2008-05-18 16:51 <DIR> d-------- C:\Program Files\Dream Chronicles 2 - The Eternal Maze
2008-05-16 19:00 . 2008-05-17 13:43 <DIR> d-------- C:\Documents and Settings\Norma\Application Data\PlayFirst
2008-05-16 19:00 . 2008-05-17 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-05-16 18:59 . 2008-05-18 15:16 <DIR> d-------- C:\Program Files\Dream Chronicles
2008-05-16 16:46 . 2008-05-16 16:46 <DIR> d-------- C:\Documents and Settings\Samantha\Application Data\Big Fish Games
2008-05-16 11:44 . 2008-05-16 11:45 <DIR> d-------- C:\Program Files\collection studio
2008-05-15 23:24 . 2008-05-15 23:24 <DIR> d-------- C:\Documents and Settings\Norma\Application Data\Big Fish Games
2008-05-15 23:23 . 2008-05-20 17:56 <DIR> d-------- C:\Program Files\Azada
2008-05-10 14:16 . 2008-05-10 14:16 5,120 --------- C:\WINDOWS\system32\Thumbs.db
2008-05-04 21:57 . 2008-05-04 21:57 <DIR> d-------- C:\Documents and Settings\Norma\Application Data\Morpheus
2008-05-03 12:10 . 2008-05-03 12:10 <DIR> d-------- C:\Documents and Settings\Ashlee\Application Data\HPAppData
2008-04-25 14:10 . 2008-04-25 14:10 <DIR> d-------- C:\Documents and Settings\Samantha\Application Data\HPAppData
2008-04-23 19:00 . 2008-04-23 19:00 268 --ah----- C:\sqmdata01.sqm
2008-04-23 19:00 . 2008-04-23 19:00 244 --ah----- C:\sqmnoopt01.sqm
2008-04-23 12:29 . 2008-04-23 12:29 <DIR> d-------- C:\Documents and Settings\Samantha\Contacts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 08:28 --------- d-----w C:\Program Files\Steam
2008-05-21 09:26 --------- d-----w C:\Program Files\Java
2008-05-20 08:47 --------- d-----w C:\Documents and Settings\Norma\Application Data\ZoomBrowser EX
2008-05-20 08:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-05-17 02:55 --------- d-----w C:\Program Files\Morpheus
2008-05-11 12:31 --------- d-----w C:\Documents and Settings\Norma\Application Data\AdobeUM
2008-04-23 11:27 --------- d-----w C:\Program Files\Common Files\Nikon
2008-04-23 11:27 --------- d-----w C:\Documents and Settings\Norma\Application Data\Nikon
2008-04-23 11:25 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-04-23 11:25 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2008-04-18 13:33 --------- d-----w C:\Program Files\Windows Live
2008-04-18 13:33 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-18 05:45 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-18 05:42 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-04-18 05:41 --------- d-----w C:\Program Files\Windows Live Favorites
2008-04-18 05:29 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-18 05:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-15 04:40 --------- d-----w C:\Program Files\MessengerPlus! 3
2008-04-15 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-04-15 03:08 --------- d-----w C:\Documents and Settings\Dad\Application Data\HPAppData
2008-04-14 04:42 --------- d-----w C:\Documents and Settings\Norma\Application Data\HP
2008-04-14 01:47 --------- d-----w C:\Documents and Settings\Norma\Application Data\HPAppData
2008-04-13 23:41 --------- d-----w C:\Documents and Settings\LocalService\Application Data\HP
2008-04-13 23:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2008-04-13 23:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-04-13 23:37 --------- d-----w C:\Program Files\HP
2008-04-13 23:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-04-13 23:35 --------- d-----w C:\Program Files\Common Files\HP
2008-04-13 23:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-04-13 23:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-13 12:53 --------- d-----w C:\Program Files\Riven
2008-04-03 07:02 --------- d-----w C:\Program Files\RootsMagic
2008-03-28 23:13 --------- d-----w C:\Documents and Settings\Ashlee\Application Data\AdobeUM
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 22:32 --------- d--h--w C:\Program Files\CanonBJ
2008-03-26 22:32 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-03-26 22:16 --------- d-----w C:\Program Files\Canon
2008-03-26 01:38 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-26 01:29 --------- d-----w C:\Program Files\EA GAMES
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-21_20.28.10.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 10:17:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-22 06:03:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-08 23:13:19 204,920 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-05-21 22:32:38 204,920 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-10-01 22:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-10-01 22:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-10-01 22:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-10-01 22:00 455168]
"SoundMan"="SOUNDMAN.EXE" [2005-03-24 21:20 77824 C:\WINDOWS\SOUNDMAN.EXE]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 17:15 106496]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 17:29 7561216]
"nwiz"="nwiz.exe" [2006-03-09 17:29 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-09 17:29 86016]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 21:42 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"hplampc"="C:\WINDOWS\system32\hplampc.exe" [2002-01-17 10:40 40448]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 13:16 185896]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 12:45 75304]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 01:36 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 22:13 385024]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 12:20 227328]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2008-04-15 14:40 190024]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-05-22 08:42 181512]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-03-11 01:46 234760]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 14:58 1744896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-16 17:53:51 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-12-27 10:27:31 118784]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-01-14 08:27:39 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Norma^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Norma\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-28 15:14 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Morpheus\\Morpheus.exe"=
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"C:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires\\Empires.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 athsgt;athsgt;C:\WINDOWS\system32\DRIVERS\athsgt.sys [2007-06-20 13:54]
R2 limsgt;limsgt;C:\WINDOWS\system32\DRIVERS\limsgt.sys [2007-06-20 13:54]
S3 hp4200c;%usbscan.SvcDesc%;C:\WINDOWS\system32\DRIVERS\hp4200c.sys [2001-02-18 10:09]
S3 LTower;LEGO USB Tower Driver;C:\WINDOWS\system32\Drivers\LTower.sys [2001-04-25 16:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-22 08:30:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 18:43:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-22 18:49:42
ComboFix-quarantined-files.txt 2008-05-22 08:49:26
ComboFix2.txt 2008-05-21 10:28:26

Pre-Run: 44,387,651,584 bytes free
Post-Run: 44,391,825,408 bytes free

207 --- E O F --- 2008-05-16 14:05:04







Deckard's System Scanner v20071014.68
Run by Norma on 2008-05-22 18:58:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Norma.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:59:02 PM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Norma\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Norma.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toadgames.com/Default.asp?LogIn=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-343818398-651377827-682003330-1006\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User 'Katie')
O4 - HKUS\S-1-5-21-343818398-651377827-682003330-1006\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent (User 'Katie')
O4 - HKUS\S-1-5-21-343818398-651377827-682003330-1006\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart (User 'Katie')
O4 - HKUS\S-1-5-21-343818398-651377827-682003330-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Katie')
O4 - HKUS\S-1-5-21-343818398-651377827-682003330-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Katie')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.au/
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/er...easeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2208F4A7-2203-4627-AB3D-80711E1A7157}: NameServer = 203.88.240.88,203.88.255.99
O17 - HKLM\System\CS1\Services\Tcpip\..\{2208F4A7-2203-4627-AB3D-80711E1A7157}: NameServer = 203.88.240.88,203.88.255.99
O17 - HKLM\System\CS2\Services\Tcpip\..\{2208F4A7-2203-4627-AB3D-80711E1A7157}: NameServer = 203.88.240.88,203.88.255.99
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 11042 bytes

-- Files created between 2008-04-22 and 2008-05-22 -----------------------------

2008-05-22 18:58:48 0 d-------- C:\Program Files\Trend Micro
2008-05-21 23:41:53 0 d-------- C:\Documents and Settings\Dad\Application Data\HP
2008-05-21 20:00:32 0 d-------- C:\cmdcons
2008-05-21 19:58:50 68096 --a------ C:\WINDOWS\zip.exe
2008-05-21 19:58:50 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-21 19:58:50 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-21 19:58:50 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-21 19:58:50 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-21 19:58:50 98816 --a------ C:\WINDOWS\sed.exe
2008-05-21 19:58:50 80412 --a------ C:\WINDOWS\grep.exe
2008-05-21 19:58:50 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-20 21:28:25 0 d-------- C:\Documents and Settings\All Users\Application Data\JollyBear
2008-05-20 17:56:43 0 d-------- C:\Documents and Settings\Ashlee\Application Data\Big Fish Games
2008-05-19 17:27:26 0 d-------- C:\Program Files\CA
2008-05-19 16:41:59 0 d-------- C:\Documents and Settings\Norma\Application Data\GetRightToGo
2008-05-18 15:16:18 0 d-------- C:\Documents and Settings\Samantha\Application Data\PlayFirst
2008-05-17 20:01:54 0 d-------- C:\Documents and Settings\Samantha\Saved Games
2008-05-17 20:01:54 0 d-------- C:\Documents and Settings\Samantha\Application Data\FloodLightGames
2008-05-17 19:46:02 0 d-------- C:\Documents and Settings\Norma\Saved Games
2008-05-17 19:46:02 0 d-------- C:\Documents and Settings\Norma\Application Data\FloodLightGames
2008-05-17 19:46:02 0 d-------- C:\Documents and Settings\All Users\Application Data\FloodLightGames
2008-05-17 19:44:45 0 d-------- C:\Program Files\Death on the Nile
2008-05-17 16:19:51 0 d-------- C:\Documents and Settings\Katie\Application Data\PlayFirst
2008-05-17 15:02:24 0 d-------- C:\Program Files\Dream Chronicles 2 - The Eternal Maze
2008-05-16 19:00:09 0 d-------- C:\Documents and Settings\Norma\Application Data\PlayFirst
2008-05-16 19:00:09 0 d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-05-16 18:59:41 0 d-------- C:\Program Files\Dream Chronicles
2008-05-16 16:46:00 0 d-------- C:\Documents and Settings\Samantha\Application Data\Big Fish Games
2008-05-16 11:44:42 0 d-------- C:\Program Files\collection studio
2008-05-15 23:24:26 0 d-------- C:\Documents and Settings\Norma\Application Data\Big Fish Games
2008-05-15 23:23:43 0 d-------- C:\Program Files\Azada
2008-05-04 21:57:30 0 d-------- C:\Documents and Settings\Norma\Application Data\Morpheus
2008-05-03 12:10:39 0 d-------- C:\Documents and Settings\Ashlee\Application Data\HPAppData
2008-04-25 14:10:43 0 d-------- C:\Documents and Settings\Samantha\Application Data\HPAppData
2008-04-23 12:29:58 0 d-------- C:\Documents and Settings\Samantha\Contacts


-- Find3M Report ---------------------------------------------------------------

2008-05-22 18:28:12 0 d-------- C:\Program Files\Steam
2008-05-21 20:05:24 0 d-------- C:\Program Files\Common Files
2008-05-21 19:26:03 0 d-------- C:\Program Files\Java
2008-05-20 18:47:16 0 d-------- C:\Documents and Settings\Norma\Application Data\ZoomBrowser EX
2008-05-17 12:55:18 0 d-------- C:\Program Files\Morpheus
2008-05-11 22:31:52 0 d-------- C:\Documents and Settings\Norma\Application Data\AdobeUM
2008-04-23 21:27:38 0 d-------- C:\Documents and Settings\Norma\Application Data\Nikon
2008-04-23 21:27:35 0 d-------- C:\Program Files\Common Files\Nikon
2008-04-23 08:06:19 143504 --a------ C:\WINDOWS\hpoins16.dat
2008-04-18 23:33:58 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-18 23:33:42 0 d-------- C:\Program Files\Windows Live
2008-04-18 15:45:39 0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-18 15:42:05 0 d-------- C:\Program Files\Windows Live Toolbar
2008-04-18 15:41:38 0 d-------- C:\Program Files\Windows Live Favorites
2008-04-18 15:29:18 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-15 14:40:56 0 d-------- C:\Program Files\MessengerPlus! 3
2008-04-14 14:42:05 0 d-------- C:\Documents and Settings\Norma\Application Data\HP
2008-04-14 11:47:46 0 d-------- C:\Documents and Settings\Norma\Application Data\HPAppData
2008-04-14 09:37:18 0 d-------- C:\Program Files\HP
2008-04-14 09:35:04 0 d-------- C:\Program Files\Common Files\HP
2008-04-13 22:53:37 0 d-------- C:\Program Files\Riven
2008-04-13 20:41:43 347029 --a------ C:\Documents and Settings\Norma\Application Data\NMM-MetaData.db
2008-04-03 17:02:22 0 d-------- C:\Program Files\RootsMagic
2008-03-27 08:32:13 0 d--h----- C:\Program Files\CanonBJ
2008-03-27 08:16:56 0 d-------- C:\Program Files\Canon
2008-03-26 11:29:47 0 d-------- C:\Program Files\EA GAMES


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
03/02/2007 04:52 PM 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
03/02/2007 04:52 PM 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [10/01/2004 10:00 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [10/01/2004 10:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [10/01/2004 10:00 PM]
"SoundMan"="SOUNDMAN.EXE" [03/24/2005 09:20 PM C:\WINDOWS\SOUNDMAN.EXE]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [07/12/2002 05:15 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [03/09/2006 05:29 PM]
"nwiz"="nwiz.exe" [03/09/2006 05:29 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [03/09/2006 05:29 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 09:42 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"hplampc"="C:\WINDOWS\system32\hplampc.exe" [01/17/2002 10:40 AM]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [09/28/2006 01:16 PM]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [10/11/2006 12:45 PM]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [01/07/2006 01:36 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/31/2008 10:13 PM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [03/23/2007 12:20 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [03/11/2007 09:34 PM]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [04/15/2008 02:40 PM]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [05/22/2008 08:42 AM]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [03/11/2008 01:46 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 03:45 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [10/01/2004 10:00 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [6/16/2006 05:53:51 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [3/11/2007 09:26:24 PM]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [12/27/2007 10:27:31 AM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [1/14/2007 08:27:39 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Norma^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Norma\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc

*Newly Created Service* - CATCHME



-- End of Deckard's System Scanner: finished at 2008-05-22 18:59:46 ------------

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:33 AM

Posted 22 May 2008 - 06:37 AM

Hello Norma,

Your logs look fine now. :thumbsup:

No need to repeat this from all accounts,
although I would like a fresh HijackThis log from any account that still shows problems ("Katie" ??)

a pop up there saying the vundo file had been found

Virusscanner popup ??
Any mentioning of the exact location of the find ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 Twinmum

Twinmum
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:33 PM

Posted 22 May 2008 - 07:36 AM

Hello Norma,

Your logs look fine now. :)

No need to repeat this from all accounts,
although I would like a fresh HijackThis log from any account that still shows problems ("Katie" ??)

Virusscanner popup ??
Any mentioning of the exact location of the find ?


That is good to hear (both that they seem clear and I don't have to repeat the process - though if it was needed I certainly wouldn't hesitate)

Yes it was a pop up from my virus scanner, but I clicked the close button without thinking about the location. But I'm not totally silly :thumbsup: I just went and looked at the real time scanner log of Vet and found these two entries:

5/22/2008 17:56 File infection: C:\System Volume Information\_restore{F9E4E502-539D-4F93-AC4A-7BB870FB4DC8
}\RP320\AO112071.dll is Win32/Vundo!generic trojan. Deleted

5/22/2008 18:06 File infection: C:\System Volume Information\_restore{F9E4E502-539D-4F93-AC4A-7BB870FB4DC8
}\RP320\AO112072.dll is Win32/Darksma.JD trojan. Deleted

Now as for the HijackThis log (and yes it was on Katie's account) I'm not sure if I did this right. The icon is on my desktop but not her's so I saved it to her documents, moved it onto her desktop then ran it and ended up with the following report log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:01 PM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.au/
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/er...easeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2208F4A7-2203-4627-AB3D-80711E1A7157}: NameServer = 203.88.240.88,203.88.255.99
O17 - HKLM\System\CS1\Services\Tcpip\..\{2208F4A7-2203-4627-AB3D-80711E1A7157}: NameServer = 203.88.240.88,203.88.255.99
O17 - HKLM\System\CS2\Services\Tcpip\..\{2208F4A7-2203-4627-AB3D-80711E1A7157}: NameServer = 203.88.240.88,203.88.255.99
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 10449 bytes

#12 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:33 AM

Posted 22 May 2008 - 08:44 AM

Hello Norma,

You did just fine, though it was a false alarm :
the popup warning referred to a trace in your system restore points.
These are about to be reset while removing ComboFix :thumbsup:

Katie's log shows one minor item we can clean up though :
From her account :
Start HijackThis, close all open windows leaving only HijackThis running. Place a check against the following, if still present :O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/er...easeInstall.cab
Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then return to your account and remove all tools used and folders made in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

This should be the end of your problems. :)

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#13 Twinmum

Twinmum
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:33 PM

Posted 23 May 2008 - 06:25 AM

All clear now. That last item was on Katie's side, but it's gone now.

Thank you so much for your time and help Thunder

One last question, is there some program that would run a real time scanner to catch these things that I could run in partnership with my anti virus program or something that I could do an on demand scan with? At the moment I have CA Anti Virus and I try and run Spybot and AdAware on a fairly regular basis.

Norma

#14 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:33 AM

Posted 23 May 2008 - 05:15 PM

Glad we could help, Twinmum :thumbsup:

At the moment I have CA Anti Virus and I try and run Spybot and AdAware on a fairly regular basis.

That's a very good start.
You can run a MBAM scan or a Kaspersky online scan whever you feel like it. :)

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users