Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Malware


  • This topic is locked This topic is locked
3 replies to this topic

#1 armadillo1111

armadillo1111

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 28 May 2008 - 06:47 AM

Hi there,

I think I have been infected with some malware. Everytime I start up IE it tries to open up new tabs and download 'anti virus' software. Firefox does the same thing. When I logon there's a prompt which says cannot start a DLL file.

Here is the main.txt file that was generated by DSS:

Deckard's System Scanner v20071014.68
Run by joewalkden on 2008-05-28 21:29:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
16: 2008-05-29 02:51:56 UTC - RP29 - Installed AVG 8.0
15: 2008-05-29 01:34:21 UTC - RP28 - Windows Update
14: 2008-05-28 18:05:00 UTC - RP27 - Microsoft OneCare Protection Checkpoint
13: 2008-05-28 14:54:35 UTC - RP25 - Installed Windows Media Player Firefox Plugin
12: 2008-05-28 04:20:16 UTC - RP24 - Microsoft OneCare Protection Checkpoint


-- First Restore Point --
1: 2008-05-27 00:55:42 UTC - RP8 - Windows Update


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as joewalkden.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:00 PM, on 28/05/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Users\joewalkden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\18DZT9RA\dss[1].exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\joewalkden.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\xxyXoLef.dll,#1
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\JOEWAL~1\AppData\Local\Temp\ddccCUKd.dll,c
O4 - HKCU\..\Run: [74d8fbd1] rundll32.exe "C:\Users\JOEWAL~1\AppData\Local\Temp\cjpvvpal.dll",b
O4 - HKCU\..\Run: [__c0040F64] rundll32.exe "C:\Users\joewalkden\AppData\Roaming\__c0040F64.dat",B
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\JOEWAL~1\AppData\Local\Temp\hgGxYRkK.dll,#1
O4 - HKCU\..\Run: [BM77ebc84d] Rundll32.exe "C:\Users\JOEWAL~1\AppData\Local\Temp\hiukctsd.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe

--
End of file - 7106 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe
R2 PLFlash DeviceIoControl Service - c:\windows\system32\ioctlsvc.exe <Not Verified; Prolific Technology Inc.; IoctlSvc Application>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-28 19:36:30 428 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{18FC9DD2-696D-4339-863E-660A0BFB7D9E}.job


-- Files created between 2008-04-28 and 2008-05-28 -----------------------------

2008-05-28 21:20:04 0 d-------- C:\Program Files\Trend Micro
2008-05-28 19:58:00 0 d--h----- C:\$AVG8.VAULT$
2008-05-28 19:52:26 0 d-------- C:\Windows\system32\drivers\Avg
2008-05-28 19:52:12 0 d-------- C:\Users\All Users\avg8
2008-05-28 19:52:12 0 d-------- C:\Program Files\AVG
2008-05-28 19:36:29 0 d-------- C:\WINSSLog
2008-05-27 19:22:15 0 d-------- C:\Program Files\FileZilla FTP Client
2008-05-26 22:15:48 0 d-------- C:\Program Files\MSXML 4.0
2008-05-26 21:57:28 0 d-------- C:\Program Files\NeroInstall.bak
2008-05-26 21:37:04 0 d-------- C:\Program Files\Nero
2008-05-26 21:37:03 0 d-------- C:\Users\All Users\Nero
2008-05-26 21:37:03 0 d-------- C:\Program Files\Common Files\Nero
2008-05-26 21:23:04 30208 --a------ C:\Windows\system32\xxyXoLef.dll
2008-05-26 21:06:57 0 d-------- C:\Users\All Users\FLEXnet
2008-05-26 20:47:36 0 d-------- C:\Users\All Users\Adobe
2008-05-26 20:35:48 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-26 20:27:48 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-26 20:09:22 0 d-------- C:\Program Files\PowerISO
2008-05-26 20:07:04 0 d-------- C:\Program Files\ExtractNow
2008-05-26 18:46:30 0 d-------- C:\Users\All Users\Azureus
2008-05-26 18:44:49 0 d-------- C:\Program Files\Azureus
2008-05-26 18:36:51 0 d-------- C:\Program Files\Microsoft Works
2008-05-26 18:33:39 0 d-------- C:\Program Files\Microsoft.NET
2008-05-26 18:30:54 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-26 18:29:20 0 d-------- C:\Users\All Users\Microsoft Help
2008-05-26 18:26:33 0 d-------- C:\Program Files\Flickr Uploadr
2008-05-26 18:23:04 0 d-------- C:\Program Files\Guitar-Online Tools
2008-05-26 18:11:05 0 d-------- C:\Program Files\Windows Live
2008-05-26 18:10:39 0 d-------- C:\Users\All Users\WLInstaller
2008-05-26 17:57:58 0 --a------ C:\Windows\ativpsrm.bin
2008-05-25 21:39:59 56 --ah----- C:\Users\All Users\ezsidmv.dat
2008-05-25 21:36:52 0 d-------- C:\Program Files\Skype
2008-05-25 21:36:51 0 d-------- C:\Program Files\Common Files\Skype
2008-05-25 21:36:36 0 d-------- C:\Users\All Users\Skype
2008-05-25 21:21:34 0 d-------- C:\Program Files\iPod
2008-05-25 21:21:30 0 d-------- C:\Program Files\iTunes
2008-05-25 21:21:16 0 d-------- C:\Program Files\Bonjour
2008-05-25 21:20:34 0 d-------- C:\Program Files\QuickTime
2008-05-25 21:20:32 0 d-------- C:\Users\All Users\Apple Computer
2008-05-25 21:20:15 0 d-------- C:\Program Files\Apple Software Update
2008-05-25 21:19:39 0 d-------- C:\Program Files\Common Files\Apple
2008-05-25 21:19:35 0 d-------- C:\Users\All Users\Apple
2008-05-25 21:07:51 0 d-------- C:\Windows\system32\Macromed
2008-05-25 21:06:04 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-25 20:43:52 0 d------c- C:\Windows\system32\DRVSTORE
2008-05-25 20:42:50 0 d-------- C:\Windows\PCHEALTH
2008-05-25 19:55:41 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-25 19:55:38 0 d--hs---- C:\Windows\Installer
2008-05-25 19:06:06 0 d-------- C:\Windows\Panther
2008-05-25 18:29:50 0 dr------- C:\Users\joewalkden\Searches
2008-05-25 18:29:33 0 dr------- C:\Users\joewalkden\Contacts
2008-05-25 18:29:16 0 d--hs---- C:\Users\joewalkden\Templates
2008-05-25 18:29:16 0 d--hs---- C:\Users\joewalkden\Start Menu
2008-05-25 18:29:16 0 d--hs---- C:\Users\joewalkden\SendTo
2008-05-25 18:29:16 0 d--hs---- C:\Users\joewalkden\Recent
2008-05-25 18:29:16 0 d--hs---- C:\Users\joewalkden\PrintHood
2008-05-25 18:29:16 0 d--hs---- C:\Users\joewalkden\NetHood
2008-05-25 18:29:16 0 d--hs---- C:\Users\joewalkden\My Documents
2008-05-25 18:29:16 0 d--hs---- C:\Users\joewalkden\Local Settings
2008-05-25 18:29:16 0 d--hs---- C:\Users\joewalkden\Cookies
2008-05-25 18:29:16 0 d--hs---- C:\Users\joewalkden\Application Data
2008-05-25 18:29:15 0 dr------- C:\Users\joewalkden\Videos
2008-05-25 18:29:15 0 dr------- C:\Users\joewalkden\Saved Games
2008-05-25 18:29:15 0 dr------- C:\Users\joewalkden\Pictures
2008-05-25 18:29:15 0 dr------- C:\Users\joewalkden\Music
2008-05-25 18:29:15 0 dr------- C:\Users\joewalkden\Links
2008-05-25 18:29:15 0 dr------- C:\Users\joewalkden\Favorites
2008-05-25 18:29:15 0 dr------- C:\Users\joewalkden\Downloads
2008-05-25 18:29:15 0 dr------- C:\Users\joewalkden\Documents
2008-05-25 18:29:15 0 dr------- C:\Users\joewalkden\Desktop
2008-05-25 18:29:15 0 d--h----- C:\Users\joewalkden\AppData
2008-05-25 18:29:14 1048576 --ahs---- C:\Users\joewalkden\NTUSER.DAT
2008-05-25 18:14:30 0 d-------- C:\Windows\SoftwareDistribution
2008-05-25 18:13:24 0 d-------- C:\Program Files\Analog Devices
2008-05-25 18:12:19 0 d-------- C:\Windows\Debug
2008-05-25 18:12:18 0 d-------- C:\Windows\CSC
2008-05-25 18:07:06 0 d-------- C:\Windows\Prefetch
2008-05-25 00:46:05 0 d--hs---- C:\Boot


-- Find3M Report ---------------------------------------------------------------

2008-05-28 19:22:18 0 d-------- C:\Program Files\Common Files
2008-05-27 19:27:57 0 d-------- C:\Users\joewalkden\AppData\Roaming\Adobe
2008-05-26 21:48:22 0 d-------- C:\Users\joewalkden\AppData\Roaming\Nero
2008-05-26 20:09:51 0 d-------- C:\Users\joewalkden\AppData\Roaming\Azureus
2008-05-26 18:36:23 0 d-------- C:\Program Files\MSBuild
2008-05-25 22:00:18 0 d-------- C:\Users\joewalkden\AppData\Roaming\Mozilla
2008-05-25 21:41:24 0 d-------- C:\Users\joewalkden\AppData\Roaming\Skype
2008-05-25 21:39:59 0 d-------- C:\Users\joewalkden\AppData\Roaming\skypePM
2008-05-25 21:21:48 0 d-------- C:\Users\joewalkden\AppData\Roaming\Apple Computer
2008-05-25 21:08:00 0 d-------- C:\Users\joewalkden\AppData\Roaming\Macromedia
2008-05-25 19:42:02 174 --ahs---- C:\Program Files\desktop.ini
2008-05-25 19:37:36 0 d-------- C:\Program Files\Windows Calendar
2008-05-25 19:37:34 0 d-------- C:\Program Files\Windows Mail
2008-05-25 19:37:33 0 d-------- C:\Program Files\Windows Defender
2008-05-25 19:37:27 0 d-------- C:\Program Files\Windows Sidebar
2008-05-25 18:29:37 0 d-------- C:\Users\joewalkden\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [25/05/2008 07:23 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 07:00 AM]
"MSServer"="C:\Windows\system32\xxyXoLef.dll" [26/05/2008 09:23 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [28/05/2008 07:52 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [25/05/2008 07:06 PM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [02/11/2006 05:34 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 AM]
"cmds"="C:\Users\JOEWAL~1\AppData\Local\Temp\ddccCUKd.dll,c" []
"74d8fbd1"="C:\Users\JOEWAL~1\AppData\Local\Temp\cjpvvpal.dll,b" []
"__c0040F64"="C:\Users\joewalkden\AppData\Roaming\__c0040F64.dat,B" []
"MSServer"="C:\Users\JOEWAL~1\AppData\Local\Temp\hgGxYRkK.dll,#1" []
"BM77ebc84d"="C:\Users\JOEWAL~1\AppData\Local\Temp\hiukctsd.dll,s" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{87862E26-BDA0-4A78-B94C-86BCB9428A6F}"= C:\Windows\system32\xxyXoLef.dll [26/05/2008 09:23 PM 30208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-05-28 21:34:21 ------------


===================================================================
===================================================================

Here is the extra.txt file that was generated by DSS:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Ultimate (build 6000)
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 2.80GHz
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 2045.52 MiB / 1149.2 MiB
Pagefile Memory (total/avail): 4313.23 MiB / 3223.93 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1904.68 MiB

C: is Fixed (NTFS) - 149 GiB total, 57.56 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1600JS-75NCB2 ATA Device - 149.01 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FW: Windows Live OneCare Firewall v1.0.0 (Microsoft Corporation) Disabled
AV: AVG Anti-Virus v8.0 (AVG Technologies)
AV: Windows Live OneCare v1.0.0 (Microsoft Corporation) Disabled
AS: AVG Anti-Virus v8.0 (AVG Technologies) Disabled
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: Windows Live OneCare v1.0.0 (Microsoft Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\joewalkden\AppData\Roaming
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JOEWALKDEN-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HKCU_S=\REGISTRY\CUSER\Software
HKLM_S=\REGISTRY\MACHINE\Software
HOMEDRIVE=C:
HOMEPATH=\Users\joewalkden
LOCALAPPDATA=C:\Users\joewalkden\AppData\Local
LOGONSERVER=\\JOEWALKDEN-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0407
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\JOEWAL~1\AppData\Local\Temp
TMP=C:\Users\JOEWAL~1\AppData\Local\Temp
USERDOMAIN=joewalkden-PC
USERNAME=joewalkden
USERPROFILE=C:\Users\joewalkden
windir=C:\Windows
__APPCOMPAT_MANIFEST=
__COMPAT_LAYER=VistaSetUp


-- User Profiles ---------------------------------------------------------------

joewalkden


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Windows\UNNeroBackItUp.exe /UNINSTALL
--> C:\Windows\UNNeroMediaHome.exe /UNINSTALL
--> C:\Windows\UNNeroShowTime.exe /UNINSTALL
--> C:\Windows\UNNeroVision.exe /UNINSTALL
--> C:\Windows\UNRecode.exe /UNINSTALL
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe
Adobe Color Common Settings --> MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\719d6f144d0c086a0dfa7ff76bb9ac1\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}
Adobe Setup --> MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup --> MsiExec.exe /I{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}
Adobe Setup --> MsiExec.exe /I{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AVG 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
ExtractNow --> "C:\Program Files\ExtractNow\unins000.exe"
FileZilla Client 3.0.10 --> C:\Program Files\FileZilla FTP Client\uninstall.exe
Flickr Uploadr 3.0.5 --> "C:\Program Files\Flickr Uploadr\uninstall.exe"
Guitar-Online Tools - Tuner, version 2.1 --> "C:\Program Files\Guitar-Online Tools\Tuner\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Ultimate 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ULTIMATER /dll OSETUP.DLL
Microsoft Office Ultimate 2007 --> MsiExec.exe /X{91120000-002E-0000-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
Nero 8 Trial --> MsiExec.exe /X{D6D5CB84-0E6E-4E69-B300-C690B6911033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Skype™ 3.8 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Update for Office 2007 (KB946691) --> msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {91120000-002E-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Writer --> MsiExec.exe /X{9176251A-4CC1-4DDB-B343-B487195EB397}
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}


-- Application Event Log -------------------------------------------------------

Event Record #/Type1327 / Success
Event Submitted/Written: 05/28/2008 09:12:15 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type1326 / Success
Event Submitted/Written: 05/28/2008 09:11:59 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type1322 / Success
Event Submitted/Written: 05/28/2008 09:11:40 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type1311 / Warning
Event Submitted/Written: 05/28/2008 09:10:19 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2889657772-315506631-1619284845-1000_Classes:
Process 948 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2889657772-315506631-1619284845-1000_CLASSES

Event Record #/Type1310 / Warning
Event Submitted/Written: 05/28/2008 09:10:18 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2889657772-315506631-1619284845-1000:
Process 948 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2889657772-315506631-1619284845-1000



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type11771 / Warning
Event Submitted/Written: 05/28/2008 09:33:19 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%joewalkden-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %joewalkden-PC27 can't undo changes that you allow.

For more information please see the following:
%joewalkden-PC275

Scan ID: {B6929A8B-239E-4BA0-B31A-675FEB6C968B}

User: joewalkden-PC\joewalkden

Name: %joewalkden-PC271

ID: %joewalkden-PC272

Severity ID: %joewalkden-PC273

Category ID: %joewalkden-PC274

Path Found: %joewalkden-PC276

Alert Type: %joewalkden-PC278

Detection Type: 1.1.1505.02

Event Record #/Type11770 / Warning
Event Submitted/Written: 05/28/2008 09:33:19 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%joewalkden-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %joewalkden-PC27 can't undo changes that you allow.

For more information please see the following:
%joewalkden-PC275

Scan ID: {33599634-A8BF-41D4-AFED-E37BBD1E3C4D}

User: joewalkden-PC\joewalkden

Name: %joewalkden-PC271

ID: %joewalkden-PC272

Severity ID: %joewalkden-PC273

Category ID: %joewalkden-PC274

Path Found: %joewalkden-PC276

Alert Type: %joewalkden-PC278

Detection Type: 1.1.1505.02

Event Record #/Type11769 / Warning
Event Submitted/Written: 05/28/2008 09:33:19 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%joewalkden-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %joewalkden-PC27 can't undo changes that you allow.

For more information please see the following:
%joewalkden-PC275

Scan ID: {DDF2089C-AE42-40DE-920C-CA628E608A9F}

User: joewalkden-PC\joewalkden

Name: %joewalkden-PC271

ID: %joewalkden-PC272

Severity ID: %joewalkden-PC273

Category ID: %joewalkden-PC274

Path Found: %joewalkden-PC276

Alert Type: %joewalkden-PC278

Detection Type: 1.1.1505.02

Event Record #/Type11768 / Warning
Event Submitted/Written: 05/28/2008 09:33:16 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%joewalkden-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %joewalkden-PC27 can't undo changes that you allow.

For more information please see the following:
%joewalkden-PC275

Scan ID: {495B2C6B-C2EC-4E0D-A91E-4BBF5687B96D}

User: joewalkden-PC\joewalkden

Name: %joewalkden-PC271

ID: %joewalkden-PC272

Severity ID: %joewalkden-PC273

Category ID: %joewalkden-PC274

Path Found: %joewalkden-PC276

Alert Type: %joewalkden-PC278

Detection Type: 1.1.1505.02

Event Record #/Type11767 / Warning
Event Submitted/Written: 05/28/2008 09:33:16 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%joewalkden-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %joewalkden-PC27 can't undo changes that you allow.

For more information please see the following:
%joewalkden-PC275

Scan ID: {A9804445-0FB9-4DF4-BF63-2512E471B1BB}

User: joewalkden-PC\joewalkden

Name: %joewalkden-PC271

ID: %joewalkden-PC272

Severity ID: %joewalkden-PC273

Category ID: %joewalkden-PC274

Path Found: %joewalkden-PC276

Alert Type: %joewalkden-PC278

Detection Type: 1.1.1505.02



-- End of Deckard's System Scanner: finished at 2008-05-28 21:34:21 ------------

===========================================================
===========================================================

Any help is MUCH appreciated :thumbsup:

Thanks
Joe

Attached Files



BC AdBot (Login to Remove)

 


#2 armadillo1111

armadillo1111
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 28 May 2008 - 07:47 AM

Hi again

Since posting I discovered a similar issue on the forum - http://www.bleepingcomputer.com/forums/t/148783/infected-with-trojan-vundo/

I followed the three steps recommended by Thunder. This seems to have worked :thumbsup:

However to be sure I have uploaded and pasted the log.txt from combofix for analysis.

Thanks in advance
Joe

ComboFix 08-05-27.4 - joewalkden 2008-05-28 22:37:14.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.1354 [GMT -7:00]
Running from: C:\Users\joewalkden\Desktop\ComboFixone.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-28 21:53 . 2008-05-28 21:53 d-------- C:\Users\joewalkden\AppData\Roaming\Malwarebytes
2008-05-28 21:53 . 2008-05-28 21:53 d-------- C:\Users\All Users\Malwarebytes
2008-05-28 21:53 . 2008-05-28 21:53 d-------- C:\ProgramData\Malwarebytes
2008-05-28 21:53 . 2008-05-28 21:53 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-28 21:53 . 2008-05-05 20:46 27,048 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-05-28 21:53 . 2008-05-05 20:46 15,864 --a------ C:\Windows\System32\drivers\mbam.sys
2008-05-28 21:28 . 2008-05-28 21:28 d-------- C:\Deckard
2008-05-28 21:20 . 2008-05-28 21:20 d-------- C:\Program Files\Trend Micro
2008-05-28 19:58 . 2008-05-28 20:52 d--h----- C:\$AVG8.VAULT$
2008-05-28 19:52 . 2008-05-28 19:54 d-------- C:\Windows\System32\drivers\Avg
2008-05-28 19:52 . 2008-05-28 19:52 d-------- C:\Users\All Users\avg8
2008-05-28 19:52 . 2008-05-28 19:52 d-------- C:\ProgramData\avg8
2008-05-28 19:52 . 2008-05-28 19:52 d-------- C:\Program Files\AVG
2008-05-28 19:52 . 2008-05-28 19:52 96,520 --a------ C:\Windows\System32\drivers\avgldx86.sys
2008-05-28 19:52 . 2008-05-28 19:52 67,080 --a------ C:\Windows\System32\drivers\avgwfpx.sys
2008-05-28 19:52 . 2008-05-28 19:52 12,424 --a------ C:\Windows\System32\drivers\avgrkx86.sys
2008-05-28 19:52 . 2008-05-28 19:52 10,520 --a------ C:\Windows\System32\avgrsstx.dll
2008-05-28 19:36 . 2008-05-28 19:37 d-------- C:\WINSSLog
2008-05-28 14:49 . 2008-03-07 17:37 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-28 14:49 . 2008-03-07 21:30 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-05-27 19:22 . 2008-05-27 19:22 d-------- C:\Program Files\FileZilla FTP Client
2008-05-26 22:15 . 2008-05-26 22:15 d-------- C:\Program Files\MSXML 4.0
2008-05-26 21:57 . 2008-05-26 21:57 d-------- C:\Program Files\NeroInstall.bak
2008-05-26 21:48 . 2008-05-26 21:48 d-------- C:\Users\joewalkden\AppData\Roaming\Nero
2008-05-26 21:37 . 2008-05-26 21:37 d-------- C:\Users\All Users\Nero
2008-05-26 21:37 . 2008-05-26 21:37 d-------- C:\ProgramData\Nero
2008-05-26 21:37 . 2008-05-26 21:37 d-------- C:\Program Files\Nero
2008-05-26 21:37 . 2008-05-26 21:44 d-------- C:\Program Files\Common Files\Nero
2008-05-26 21:06 . 2008-05-26 21:06 d-------- C:\Users\All Users\FLEXnet
2008-05-26 21:06 . 2008-05-26 21:06 d-------- C:\ProgramData\FLEXnet
2008-05-26 20:47 . 2008-05-26 21:34 d-------- C:\Users\All Users\Adobe
2008-05-26 20:35 . 2008-05-26 20:35 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-26 20:27 . 2008-05-26 20:46 d-------- C:\Program Files\Common Files\Adobe
2008-05-26 20:09 . 2008-05-26 20:09 d-------- C:\Program Files\PowerISO
2008-05-26 20:07 . 2008-05-26 20:07 d-------- C:\Program Files\ExtractNow
2008-05-26 18:46 . 2008-05-26 20:09 d-------- C:\Users\joewalkden\AppData\Roaming\Azureus
2008-05-26 18:46 . 2008-05-26 18:46 d-------- C:\Users\All Users\Azureus
2008-05-26 18:46 . 2008-05-26 18:46 d-------- C:\ProgramData\Azureus
2008-05-26 18:44 . 2008-05-26 18:45 d-------- C:\Program Files\Azureus
2008-05-26 18:38 . 2006-10-26 19:56 32,592 --a------ C:\Windows\System32\msonpmon.dll
2008-05-26 18:36 . 2008-05-26 18:36 d-------- C:\Program Files\Microsoft Works
2008-05-26 18:33 . 2008-05-26 18:33 d-------- C:\Program Files\Microsoft.NET
2008-05-26 18:30 . 2008-05-26 18:30 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-26 18:29 . 2008-05-28 18:44 d-------- C:\Users\All Users\Microsoft Help
2008-05-26 18:29 . 2008-05-28 18:44 d-------- C:\ProgramData\Microsoft Help
2008-05-26 18:26 . 2008-05-26 18:27 d-------- C:\Program Files\Flickr Uploadr
2008-05-26 18:23 . 2008-05-26 18:23 d-------- C:\Program Files\Guitar-Online Tools
2008-05-26 18:11 . 2008-05-26 18:16 d-------- C:\Program Files\Windows Live
2008-05-26 18:10 . 2008-05-26 18:10 d-------- C:\Users\All Users\WLInstaller
2008-05-26 18:10 . 2008-05-26 18:10 d-------- C:\ProgramData\WLInstaller
2008-05-26 17:58 . 2007-03-14 18:52 1,152,000 --a------ C:\Windows\System32\themecpl.dll
2008-05-26 17:58 . 2007-07-19 16:55 233,888 --a------ C:\Windows\System32\DreamScene.dll
2008-05-26 17:57 . 2008-05-26 17:57 0 --a------ C:\Windows\ativpsrm.bin
2008-05-25 21:48 . 2008-05-25 21:48 1,585,664 --a------ C:\Windows\System32\setupapi.dll
2008-05-25 21:39 . 2008-05-28 22:15 d-------- C:\Users\joewalkden\AppData\Roaming\skypePM
2008-05-25 21:39 . 2008-05-28 22:22 d-------- C:\Users\joewalkden\AppData\Roaming\Skype
2008-05-25 21:39 . 2008-05-25 21:39 56 --ah----- C:\Users\All Users\ezsidmv.dat
2008-05-25 21:39 . 2008-05-25 21:39 56 --ah----- C:\ProgramData\ezsidmv.dat
2008-05-25 21:36 . 2008-05-25 21:36 d-------- C:\Users\All Users\Skype
2008-05-25 21:36 . 2008-05-25 21:36 d-------- C:\ProgramData\Skype
2008-05-25 21:36 . 2008-05-25 21:37 d-------- C:\Program Files\Skype
2008-05-25 21:36 . 2008-05-25 21:36 d-------- C:\Program Files\Common Files\Skype
2008-05-25 21:21 . 2008-05-25 21:21 d-------- C:\Users\joewalkden\AppData\Roaming\Apple Computer
2008-05-25 21:21 . 2008-05-25 21:21 d-------- C:\Program Files\iTunes
2008-05-25 21:21 . 2008-05-25 21:21 d-------- C:\Program Files\iPod
2008-05-25 21:21 . 2008-05-25 21:21 d-------- C:\Program Files\Bonjour
2008-05-25 21:20 . 2008-05-25 21:21 d-------- C:\Users\All Users\Apple Computer
2008-05-25 21:20 . 2008-05-25 21:21 d-------- C:\ProgramData\Apple Computer
2008-05-25 21:20 . 2008-05-25 21:21 d-------- C:\Program Files\QuickTime
2008-05-25 21:20 . 2008-05-25 21:20 d-------- C:\Program Files\Apple Software Update
2008-05-25 21:19 . 2008-05-25 21:19 d-------- C:\Users\All Users\Apple
2008-05-25 21:19 . 2008-05-25 21:19 d-------- C:\ProgramData\Apple
2008-05-25 21:19 . 2008-05-25 21:19 d-------- C:\Program Files\Common Files\Apple
2008-05-25 21:07 . 2008-05-25 21:53 d-------- C:\Windows\System32\Macromed
2008-05-25 21:06 . 2008-05-26 18:14 d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-25 20:43 . 2008-05-28 19:23 d----c--- C:\Windows\System32\DRVSTORE
2008-05-25 20:42 . 2008-05-25 20:42 d-------- C:\Windows\PCHEALTH
2008-05-25 19:55 . 2008-05-28 19:51 d--hs---- C:\Windows\Installer
2008-05-25 19:55 . 2008-05-25 19:55 d-------- C:\Program Files\Microsoft Silverlight
2008-05-25 19:27 . 2008-05-25 19:27 694,784 --a------ C:\Windows\System32\localspl.dll
2008-05-25 19:26 . 2008-05-25 19:26 2,923,520 --a------ C:\Windows\explorer.exe
2008-05-25 19:25 . 2008-05-25 19:25 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-05-25 19:25 . 2008-05-25 19:25 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-05-25 19:24 . 2008-05-25 19:24 376,320 --a------ C:\Windows\System32\winsrv.dll
2008-05-25 19:24 . 2008-05-25 19:24 49,664 --a------ C:\Windows\System32\csrsrv.dll
2008-05-25 19:21 . 2008-05-25 19:21 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-05-25 19:21 . 2008-05-25 19:21 41,984 --a------ C:\Windows\System32\drivers\monitor.sys
2008-05-25 19:20 . 2008-05-25 19:20 414,208 --a------ C:\Windows\System32\msscp.dll
2008-05-25 19:20 . 2008-05-25 19:20 374,456 --a------ C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-05-25 19:19 . 2008-05-25 19:19 8,147,968 --a------ C:\Windows\System32\wmploc.DLL
2008-05-25 19:19 . 2008-05-25 19:19 356,864 --a------ C:\Windows\System32\MediaMetadataHandler.dll
2008-05-25 19:19 . 2008-05-25 19:19 7,680 --a------ C:\Windows\System32\spwmp.dll
2008-05-25 19:19 . 2008-05-25 19:19 4,096 --a------ C:\Windows\System32\msdxm.ocx
2008-05-25 19:19 . 2008-05-25 19:19 4,096 --a------ C:\Windows\System32\dxmasf.dll
2008-05-25 19:18 . 2008-05-25 19:18 396,800 --a------ C:\Windows\System32\MPSSVC.dll
2008-05-25 19:18 . 2008-05-25 19:18 392,192 --a------ C:\Windows\System32\FirewallAPI.dll
2008-05-25 19:18 . 2008-05-25 19:18 178,688 --a------ C:\Windows\System32\iphlpsvc.dll
2008-05-25 19:18 . 2008-05-25 19:18 86,016 --a------ C:\Windows\System32\icfupgd.dll
2008-05-25 19:18 . 2008-05-25 19:18 63,488 --a------ C:\Windows\System32\drivers\mpsdrv.sys
2008-05-25 19:18 . 2008-05-25 19:18 61,952 --a------ C:\Windows\System32\cmifw.dll
2008-05-25 19:18 . 2008-05-25 19:18 23,040 --a------ C:\Windows\System32\drivers\tunnel.sys
2008-05-25 19:18 . 2008-05-25 19:18 16,896 --a------ C:\Windows\System32\wfapigp.dll
2008-05-25 19:18 . 2008-05-25 19:18 15,360 --a------ C:\Windows\System32\drivers\TUNMP.SYS
2008-05-25 19:17 . 2008-05-25 19:17 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-05-25 19:17 . 2008-05-25 19:17 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
2008-05-25 19:17 . 2008-05-25 19:17 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-05-25 19:17 . 2008-05-25 19:17 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-05-25 19:17 . 2008-05-25 19:17 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-05-25 19:17 . 2008-05-25 19:17 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-05-25 19:17 . 2008-05-25 19:17 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-05-25 19:17 . 2008-05-25 19:17 17,464 --a------ C:\Windows\System32\drivers\intelide.sys
2008-05-25 19:16 . 2008-05-25 19:16 1,191,936 --a------ C:\Windows\System32\msxml3.dll
2008-05-25 19:16 . 2008-05-25 19:16 104,448 --a------ C:\Windows\System32\DWWIN.EXE
2008-05-25 19:16 . 2008-05-25 19:16 2,048 --a------ C:\Windows\System32\msxml3r.dll
2008-05-25 19:14 . 2008-05-25 19:14 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-05-25 19:14 . 2008-05-25 19:14 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-05-25 19:14 . 2008-05-25 19:14 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-05-25 19:14 . 2008-05-25 19:14 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-05-25 19:14 . 2008-05-25 19:14 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-05-25 19:13 . 2008-05-25 19:13 1,327,104 --a------ C:\Windows\System32\quartz.dll
2008-05-25 19:11 . 2008-05-25 19:11 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-05-25 19:11 . 2008-05-25 19:11 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-05-25 19:11 . 2008-05-25 19:11 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-05-25 19:11 . 2008-05-25 19:11 2,048 --a------ C:\Windows\System32\asferror.dll
2008-05-25 19:10 . 2008-05-25 19:10 2,605,568 --a------ C:\Windows\System32\SLsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 01:36 --------- d-----w C:\Program Files\MSBuild
2008-05-26 02:42 174 --sha-w C:\Program Files\desktop.ini
2008-05-26 02:37 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-26 02:37 --------- d-----w C:\Program Files\Windows Mail
2008-05-26 02:37 --------- d-----w C:\Program Files\Windows Defender
2008-05-26 02:37 --------- d-----w C:\Program Files\Windows Calendar
2008-05-26 02:28 8,192 ----a-w C:\Windows\System32\riched32.dll
2008-05-26 02:28 77,824 ----a-w C:\Windows\System32\rascfg.dll
2008-05-26 02:28 61,952 ----a-w C:\Windows\system32\drivers\wanarp.sys
2008-05-26 02:28 52,736 ----a-w C:\Windows\System32\rasdiag.dll
2008-05-26 02:28 48,640 ----a-w C:\Windows\system32\drivers\ndproxy.sys
2008-05-26 02:28 384,000 ----a-w C:\Windows\System32\netcfgx.dll
2008-05-26 02:28 32,768 ----a-w C:\Windows\System32\rasmxs.dll
2008-05-26 02:28 22,016 ----a-w C:\Windows\System32\rasser.dll
2008-05-26 02:28 20,480 ----a-w C:\Windows\system32\drivers\ndistapi.sys
2008-05-26 02:27 87,040 ----a-w C:\Windows\System32\msoert2.dll
2008-05-26 02:27 70,144 ----a-w C:\Windows\system32\drivers\pacer.sys
2008-05-26 02:27 619,008 ----a-w C:\Windows\system32\drivers\dxgkrnl.sys
2008-05-26 02:27 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2008-05-26 02:27 36,864 ----a-w C:\Windows\System32\cdd.dll
2008-05-26 02:27 33,280 ----a-w C:\Windows\System32\traffic.dll
2008-05-26 02:27 286,208 ----a-w C:\Windows\System32\ipnathlp.dll
2008-05-26 02:27 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2008-05-26 02:27 15,360 ----a-w C:\Windows\System32\pacerprf.dll
2008-05-26 02:27 134,656 ----a-w C:\Windows\System32\dps.dll
2008-05-26 02:27 13,824 ----a-w C:\Windows\System32\wshqos.dll
2008-05-26 02:27 13,824 ----a-w C:\Windows\System32\icsunattend.exe
2008-05-26 02:26 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-05-26 02:26 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-05-26 02:26 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-05-26 02:26 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-05-26 02:26 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-05-26 02:26 297,984 ----a-w C:\Windows\System32\wlansec.dll
2008-05-26 02:26 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2008-05-26 02:26 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-05-26 02:26 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-05-26 02:15 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2008-05-26 02:15 8,704 ----a-w C:\Windows\System32\hccoin.dll
2008-05-26 02:15 5,888 ----a-w C:\Windows\system32\drivers\usbd.sys
2008-05-26 02:15 38,400 ----a-w C:\Windows\system32\drivers\usbehci.sys
2008-05-26 02:15 25,600 ----a-w C:\Windows\System32\LangCleanupSysprepAction.dll
2008-05-26 02:15 23,552 ----a-w C:\Windows\System32\lpremove.exe
2008-05-26 02:15 23,040 ----a-w C:\Windows\system32\drivers\usbuhci.sys
2008-05-26 02:15 224,768 ----a-w C:\Windows\system32\drivers\usbport.sys
2008-05-26 02:15 192,000 ----a-w C:\Windows\system32\drivers\usbhub.sys
2008-05-26 02:15 166,912 ----a-w C:\Windows\System32\lpksetup.exe
2008-05-26 02:15 10,240 ----a-w C:\Windows\System32\MUILanguageCleanup.dll
2008-05-26 02:05 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2008-05-26 02:05 83,968 ----a-w C:\Windows\System32\dnsrslvr.dll
2008-05-26 02:05 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2008-05-26 02:05 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2008-05-26 02:05 24,576 ----a-w C:\Windows\System32\dnscacheugc.exe
2008-05-26 02:05 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2008-05-26 02:05 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2008-05-26 02:03 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-05-26 02:03 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-05-26 02:03 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-05-26 02:03 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-03-08 04:30 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:30 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:30 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:30 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 00:22 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-29 00:38 972,072 ----a-w C:\Windows\UNNeroMediaHome.exe
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-05-25 19:06 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 05:34 125440]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-28 19:52 1177368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8A33CAB1-12CF-4A4D-94B8-AFCFB412DF4E}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{0C602738-559F-4A9C-8A9B-8DB7D52E196C}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{D729574A-1DFA-4002-8D0F-5AB332462395}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{B95A3248-CDBB-4DB9-B58A-B5C241FCCAC2}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{DE7C27F6-FDB9-4ECC-A636-62909C7900D4}"= C:\Program Files\Skype\Phone\Skype.exe:Skype
"{724B3EFC-46DD-4477-9E51-8F22FF611A0C}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{E8206515-234E-4F2D-A47E-0A4B53037DB9}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{67FEA20E-BCAE-44C4-9F30-ED296605E124}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{57AE407C-40C4-4AFC-A170-7631F38837D3}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{FDFB9DF7-F88C-414E-8934-8AADB537EA74}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{08714435-EBD3-4349-924C-7A159BC9767E}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A1FC1832-628F-4881-800E-72CBF0337DDE}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{92D35A25-C3AD-417B-99FF-45FD43A08AD5}"= C:\Program Files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 AvgRkx86;avgrkx86.sys;C:\Windows\system32\Drivers\avgrkx86.sys [2008-05-28 19:52]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-05-28 19:52]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-28 19:52]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-09-29 03:13]
R3 AvgWfpX;AVG8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-05-28 19:52]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 00:30]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-09-29 03:13]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-29 02:36:30 C:\Windows\Tasks\User_Feed_Synchronization-{18FC9DD2-696D-4339-863E-660A0BFB7D9E}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 22:40:29
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-28 22:41:54
ComboFix-quarantined-files.txt 2008-05-29 05:41:18

Pre-Run: 61,679,022,080 bytes free
Post-Run: 61,663,375,360 bytes free

261 --- E O F --- 2008-05-29 01:45:42

Attached Files

  • Attached File  log.txt   19.3KB   33 downloads


#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:34 AM

Posted 04 June 2008 - 03:55 PM

Hello Armadillo1111 and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:34 AM

Posted 02 July 2008 - 04:52 PM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users