Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Vundo/virtumonde... And Possibly Others


  • This topic is locked This topic is locked
19 replies to this topic

#1 jakenbrock

jakenbrock

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 15 June 2008 - 11:31 PM

Hi

Recently had my hard drive go down and in the process of repairing it I didn't get adequate protection on it time. Sorted out the relevant installations last week only to discover a host of virus/spyware/adware already onboard. Have I have a subscription for McAfee Total Protection which I have scanned my system with, along with SpyBot and ZoneAlarm. The most notably consistant infection is SpyBot's discovery of "DeepDive" and "Virtumonde" with every scan, which of course it attempts to delete to no avail. ZoneAlarm informs me that it blocks "Intop.info" when I launch IE for the first time after any restart.

Also worth noting: My wife noticed that she had her "hotmail" and "ebay" accounts HiJacked about 10days ago. The villian had blocked her out of both accounts and was selling I-mac's thru her ebay. Since then her ebay account has been cancelled by her and her hotmail was wiped-clean and started again (ie: all of the old saved, sent or received files were gone). Not sure if this is related to the problem I'm having now, suspect it might be the case.

Anyway please find Kaspersky, then DSS "main" and "extra" logs below:

Thanks for any help you can give me.

jakenbrock

***************************************

KASPERSKY ONLINE SCANNER 7 REPORT
Monday, June 16, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, June 15, 2008 23:58:11
Records in database: 870168
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
Scan statistics
Files scanned 88059
Threat name 3
Infected objects 8
Suspicious objects 0
Duration of the scan 02:01:43

File name Threat name Threats count
C:\Program Files\altcmd\altcmd32.dll/C:\Program Files\altcmd\altcmd32.dll Infected: Trojan.Win32.Dialer.bps 1
C:\Documents and Settings\Owner\Application Data\temp.dll Infected: Trojan.Win32.Dialer.bps 1
C:\Documents and Settings\Owner\Temporary Internet Files\Content.IE5\4BR72ZGO\dll_b_upd.3.244[1].dll Infected: Trojan.Win32.Dialer.bps 1
C:\Documents and Settings\Owner\Temporary Internet Files\Content.IE5\AJP3F9S8\dll_b_upd.3.244[1].dll Infected: Trojan.Win32.Dialer.bps 1
C:\Program Files\altcmd\altcmd32.dll Infected: Trojan.Win32.Dialer.bps 1
C:\Program Files\altcmd\altcmd32.dll1 Infected: Trojan.Win32.Dialer.bps 1
C:\WINDOWS\444.0 Infected: Trojan.Win32.DNSChanger.ejb 1
C:\WINDOWS\system32\2q4w4e.exe Infected: Trojan.Win32.Dialer.bpy 1
The selected area was scanned.




DSS MAIN ***************************************




Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-16 13:52:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
39: 2008-06-16 03:52:51 UTC - RP50 - Deckard's System Scanner Restore Point
38: 2008-06-16 00:16:33 UTC - RP49 - Removed Tetris 1.2
37: 2008-06-13 05:30:54 UTC - RP48 - Deckard's System Scanner Restore Point
36: 2008-06-12 00:47:13 UTC - RP47 - Last known good configuration
35: 2008-06-12 00:47:05 UTC - RP46 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-06-12 00:46:44 UTC - RP12 - Removed Sonic MyDVD Plus


Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:19 PM, on 16/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BhoApp Class - {32131238-5434-4234-4234-432432423432} - C:\Program Files\altcmd\altcmd32.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {91648AB6-FA55-44C5-A074-7F8D58FB77B6} - C:\WINDOWS\system32\hgGASJcA.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe /h
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [f8c175b6] rundll32.exe "C:\WINDOWS\system32\viuvhjsw.dll",b
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\23424.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=presario&pf=laptop
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10701 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 RetroExpLauncher (Retrospect Express HD Launcher) - "c:\progra~1\retros~1\retros~1.0\retrorun.exe" <Not Verified; EMC Corporation; Retrospect Express HD>

S2 SysEnforce - c:\progra~1\trisna~1\ssi\sysenf~1.exe (file missing)
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 468)
2008-06-13 12:02:22 80896 --a------ C:\WINDOWS\system32\viuvhjsw.dll

C:\WINDOWS\system32\rundll32.exe (pid 2892)
2008-06-13 12:02:22 80896 --a------ C:\WINDOWS\system32\viuvhjsw.dll


-- Scheduled Tasks -------------------------------------------------------------

2008-06-07 13:17:05 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-16 and 2008-06-16 -----------------------------

2008-06-14 09:35:40 80896 --a------ C:\WINDOWS\system32\viuvhjsw.dll
2008-06-13 12:04:03 0 d------c- C:\qrnt
2008-06-13 10:28:10 0 d------c- C:\VundoFix Backups
2008-06-12 22:00:27 159744 --a------ C:\WINDOWS\system32\hasher.dll <Not Verified; ; hasher Dynamic Link Library>
2008-06-12 22:00:26 0 d-------- C:\Program Files\Trisnap Technologies
2008-06-12 19:51:03 0 -rahs--c- C:\MSDOS.SYS
2008-06-12 19:51:03 0 -rahs--c- C:\IO.SYS
2008-06-12 19:05:25 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-12 19:05:15 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-06-12 18:44:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-12 18:01:31 0 d--hs--c- C:\Documents and Settings\LocalService\History
2008-06-12 14:50:05 0 d------c- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-06-12 14:49:46 0 d-------- C:\Program Files\SiteAdvisor
2008-06-12 14:49:46 0 d------c- C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-06-12 14:49:46 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-12 14:49:46 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-12 14:41:42 0 d-------- C:\Program Files\McAfee
2008-06-12 11:42:27 0 d-------- C:\Program Files\altcmd
2008-06-12 11:42:25 163840 --a------ C:\WINDOWS\system32\2q4w4e.exe
2008-06-12 10:46:34 1867 --ahs---- C:\WINDOWS\system32\AcJSAGgh.ini2
2008-06-12 10:42:20 298311 --a------ C:\WINDOWS\system32\gside.exe
2008-06-12 10:42:14 0 d-------- C:\WINDOWS\system32\bip
2008-06-12 10:42:14 0 d-------- C:\WINDOWS\system32\BE1
2008-06-12 10:42:14 0 d-------- C:\WINDOWS\system32\40541
2008-06-12 10:42:09 0 d-------- C:\WINDOWS\system32\vntiho06
2008-06-12 10:42:09 0 d------c- C:\Temp
2008-06-02 20:37:00 0 d------c- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-01 11:33:18 0 d------c- C:\Documents and Settings\Owner\Application Data\Sonic
2008-06-01 11:33:08 0 d------c- C:\Documents and Settings\Owner\Application Data\Leadertech
2008-05-31 22:01:38 0 d-------- C:\WINDOWS\Sun
2008-05-31 22:01:38 0 d------c- C:\Documents and Settings\Owner\Application Data\Sun
2008-05-31 13:17:06 0 d--hs--c- C:\Documents and Settings\NetworkService\Temporary Internet Files
2008-05-31 13:17:06 0 d--hs--c- C:\Documents and Settings\NetworkService\History
2008-05-26 21:27:43 0 d-------- C:\WINDOWS\system32\Adobe
2008-05-25 19:33:12 0 d-a----c- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-21 20:07:56 203776 --a------ C:\WINDOWS\system32\clrviddc.dll <Not Verified; Iterated Systems, Inc.; ClearVideo Decoder DLL>
2008-05-18 15:05:20 0 d-------- C:\Program Files\iriver
2008-05-17 18:09:12 0 d------c- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-05-17 15:42:20 0 d-------- C:\Program Files\MP3Gain
2008-05-17 12:59:23 0 d-------- C:\Program Files\Safari
2008-05-17 12:58:33 0 d-------- C:\Program Files\QuickTime
2008-05-17 12:58:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-17 12:55:37 0 d-------- C:\Program Files\Apple Software Update
2008-05-17 12:55:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-16 21:12:37 0 d-------- C:\Program Files\Common Files\xing shared
2008-05-16 21:01:59 0 d------c- C:\Documents and Settings\Owner\Application Data\Talkback
2008-05-16 20:23:46 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-16 20:19:55 0 d------c- C:\Documents and Settings\Owner\Application Data\Mozilla
2008-05-16 20:19:24 0 d-------- C:\Program Files\Common Files\Real
2008-05-16 20:19:22 0 d-------- C:\Program Files\Real
2008-05-16 20:18:54 0 d------c- C:\Documents and Settings\Owner\Application Data\Real
2008-05-16 19:55:57 0 d------c- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-05-16 19:55:20 0 d-------- C:\Program Files\LimeWire
2008-05-16 18:07:33 0 d-------- C:\Program Files\Common Files\Control Panels


-- Find3M Report ---------------------------------------------------------------

2008-06-10 21:11:57 0 d------c- C:\Documents and Settings\Owner\Application Data\Adobe
2008-06-08 18:22:01 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-31 20:34:39 0 d-------- C:\Program Files\Java
2008-05-17 12:58:20 0 d-------- C:\Program Files\Bonjour
2008-05-16 21:12:37 0 d-------- C:\Program Files\Common Files
2008-05-15 22:20:02 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-15 21:24:44 0 d-------- C:\Program Files\Messenger
2008-05-15 21:24:28 0 d-------- C:\Program Files\Movie Maker
2008-05-15 21:22:07 0 d-------- C:\Program Files\Windows NT
2008-05-15 20:52:56 0 d-------- C:\Program Files\Retrospect
2008-05-15 20:46:45 0 d-------- C:\Program Files\Western Digital Technologies
2008-05-15 20:46:43 339968 --a------ C:\WINDOWS\system32\WDBtnMgr.exe <Not Verified; Western Digital Technologies, Inc.; WD Button Manager>
2008-05-14 22:18:03 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-13 21:03:07 0 d-------- C:\Program Files\Online Services
2008-05-13 20:52:58 0 d-------- C:\Program Files\Oberon Media
2008-05-13 20:45:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-13 20:43:56 0 d-------- C:\Program Files\Microsoft Works
2008-05-13 20:39:19 19 --a------ C:\WINDOWS\popcinfo.dat
2008-05-13 20:26:09 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-05-13 20:18:54 0 d------c- C:\Documents and Settings\Owner\Application Data\EndNote
2008-05-13 20:10:58 0 d------c- C:\Documents and Settings\Owner\Application Data\muvee Technologies
2008-05-13 18:44:50 0 d------c- C:\Documents and Settings\Owner\Application Data\Google
2008-05-13 18:35:44 0 d-------- C:\Program Files\Google
2008-05-13 10:04:09 1024 ---h---c- C:\diskfile1
2008-05-09 10:46:29 0 d-------- C:\Program Files\Common Files\Risxtd
2008-05-09 10:41:06 0 d-------- C:\Program Files\CyberLink
2008-05-09 10:38:04 0 d-------- C:\Program Files\Ahead
2008-05-09 10:37:48 0 d-------- C:\Program Files\Common Files\Ahead
2008-05-09 10:24:14 0 d-------- C:\Program Files\Common Files\L&H
2008-05-09 10:24:00 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-05-09 10:21:32 0 d-------- C:\Program Files\Microsoft.NET
2008-05-09 10:16:59 0 d-------- C:\Program Files\Synaptics
2008-05-09 10:16:57 0 d-------- C:\Program Files\Sonic
2008-05-09 10:14:25 0 d-------- C:\Program Files\NetWaiting
2008-05-09 10:14:05 0 d-------- C:\Program Files\muvee Technologies
2008-05-09 10:14:04 0 d-------- C:\Program Files\MSN Gaming Zone
2008-05-09 10:13:19 0 d-------- C:\Program Files\microsoft frontpage
2008-05-09 10:13:10 0 d-------- C:\Program Files\Intel
2008-05-09 10:12:59 0 d-------- C:\Program Files\HPQ
2008-05-09 10:12:58 0 d-------- C:\Program Files\HP
2008-05-09 10:12:23 0 d-------- C:\Program Files\Hewlett-Packard
2008-05-09 10:12:05 0 d-------- C:\Program Files\DivX
2008-05-09 10:12:04 0 d-------- C:\Program Files\CONEXANT
2008-05-09 10:11:41 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-05-09 10:11:41 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-05-09 10:11:39 0 d-------- C:\Program Files\Common Files\ODBC
2008-05-09 10:11:25 0 d-------- C:\Program Files\Common Files\MSSoap
2008-05-09 10:11:15 0 d-------- C:\Program Files\Common Files\Java
2008-05-09 10:11:15 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-09 10:09:21 0 d------c- C:\Documents and Settings\Owner\Application Data\Macromedia
2008-05-09 10:09:21 0 d------c- C:\Documents and Settings\Owner\Application Data\Identities
2008-05-09 09:56:00 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-09 08:55:32 0 d-------- C:\Program Files\CA
2008-05-09 08:49:47 8 --a------ C:\WINDOWS\system32\success
2008-05-09 08:49:38 0 d-------- C:\Program Files\Common Files\Deterministic Networks
2008-05-09 08:49:10 0 d-------- C:\Program Files\Cisco Systems


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32131238-5434-4234-4234-432432423432}]
16/06/2008 11:04 AM 147456 --a------ C:\Program Files\altcmd\altcmd32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91648AB6-FA55-44C5-A074-7F8D58FB77B6}]
C:\WINDOWS\system32\hgGASJcA.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [04/05/2006 03:58 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [23/03/2006 10:17 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [23/03/2006 10:13 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [23/03/2006 10:17 PM]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [03/06/2006 01:02 AM C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [15/09/2007 02:27 AM]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [23/06/2006 04:43 PM]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [17/02/2005 01:11 AM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [02/06/2006 05:21 PM]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [19/06/2006 12:50 PM]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [11/10/2005 12:23 PM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04/08/2004 11:00 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [04/08/2004 11:00 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 11:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 11:00 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50 AM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [31/10/2003 07:42 PM]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [22/05/2008 07:30 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 10:16 PM]
"WD Button Manager"="WDBtnMgr.exe" [15/05/2008 08:46 PM C:\WINDOWS\system32\WDBtnMgr.exe]
"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe" [11/09/2006 05:32 PM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [15/09/2007 02:29 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [16/05/2008 09:12 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 11:37 PM]
"f8c175b6"="C:\WINDOWS\system32\viuvhjsw.dll" [13/06/2008 12:02 PM]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [05/03/2008 12:00 AM]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [05/03/2008 12:00 AM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6173\SiteAdv.exe" [29/08/2007 06:07 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [02/04/2008 09:07 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [23/05/2008 08:34 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 10:12 AM]
"Microsoft Windows Installer"="C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\23424.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\hgGASJcA

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8724 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-16 13:56:22 ------------






DSS EXTRA*****************************************






Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® M CPU 430 @ 1.73GHz
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 1014.05 MiB / 474.72 MiB
Pagefile Memory (total/avail): 2439.54 MiB / 1951.44 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1861.12 MiB

C: is Fixed (NTFS) - 48.25 GiB total, 15.97 GiB free.
D: is Fixed (FAT32) - 7.62 GiB total, 0.87 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD600BEVS-60LAT0 - 55.9 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 48.25 GiB - C:
\PARTITION1 - Unknown - 7.64 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMPAQC300
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\COMPAQC300
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PCTYPE=PRESARIO
PLATFORM=MCD
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=COMPAQC300
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe
Adobe Color Common Settings --> MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{58BAA8D0-404E-4585-9FD3-ED1BB72AC2EE}
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Illustrator CS3 --> C:\Program Files\Common Files\Adobe\Installers\a04a925a57548091300ada368235fc6\Setup.exe
Adobe Illustrator CS3 --> MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe InDesign CS3 --> C:\Program Files\Common Files\Adobe\Installers\05ba3a63f36684fe0c5dde2ebe6f8f5\Setup.exe
Adobe InDesign CS3 --> MsiExec.exe /I{CB3F8375-B600-4B9F-83C9-238ED1E583FD}
Adobe InDesign CS3 Icon Handler --> MsiExec.exe /I{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Setup --> MsiExec.exe /I{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9}
Adobe Setup --> MsiExec.exe /I{56B8B892-317E-4FDE-9E4D-44B189848A27}
Adobe Setup --> MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup --> MsiExec.exe /I{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}
Adobe Setup --> MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Shockwave Player 11 --> C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Adobe SING CS3 --> MsiExec.exe /I{3F9B2FD2-1C83-4401-9967-C3636638E958}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
altcompare --> C:\Program Files\altcmd\uninstall.bat
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
CA Internet Security Suite --> "C:\Program Files\CA\CA Internet Security Suite\caunst.exe" /u
Conexant HD Audio --> C:\Program Files\CONEXANT\CNXT_HDAUDIO\UIU32a.exe -U -Icpl30a5a.inf
Customer Experience Enhancement --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{23012310-3E05-46A5-88A9-C6CBCABCAC79} /l1033
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HDAUDIO Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_CPL30A5m\HXFSETUP.EXE -U -ICPL30A5m.inf
HijackThis 2.0.2 --> "C:\Documents and Settings\Owner\My Documents\HijackThis.exe" /uninstall
HP DVD Play 2.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\setup.exe" -uninstall
HP Help and Support --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}\setup.exe" -l0x9 -removeonly
HP Quick Launch Buttons 6.10 A1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\setup.exe" -l0x9 -removeonly uninst
HP Software Update --> MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP User Guides--System Recovery --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BC96BBA7-C634-460E-AD18-A0A994213F80}\Setup.exe" -l0x9 -removeonly
HP User Guides 0037 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{552E6DA4-A0F9-41AC-8473-E825D60674EA}\setup.exe" -l0x9 -removeonly
HP Wireless Assistant 2.00 G2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\setup.exe" -l0x9 hpquninst
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
iriver plus 3 (remove only) --> "C:\Program Files\iriver\iriver plus 3\uninstall.exe"
ISI ResearchSoft - Export Helper --> C:\PROGRA~1\COMMON~1\Risxtd\_UNINST.EXE
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Keyboard Shortcuts Panel --> MsiExec.exe /I{AF515C21-22F7-41B7-B2D1-1E06093BC13A}
LimeWire 4.16.7 --> "C:\Program Files\LimeWire\uninstall.exe"
Macromedia Shockwave Player --> MsiExec.exe /X{838A1BC9-95CA-4880-9BE3-2A7D23600A2B}
McAfee Browser Protection Service --> C:\Program Files\McAfee\Managed VirusScan\Agent\myINX.exe /Script=C:\Program Files\McAfee\Managed VirusScan\BrowseProtection\BrowseProtection.inx /Section=DefaultUninstall
McAfee Virus and Spyware Protection Service --> C:\PROGRA~1\McAfee\MANAGE~1\Agent\myinx /Script=C:\PROGRA~1\McAfee\MANAGE~1\VScan\vsasap.inx /Section=DefaultUninstall
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Retrospect Express HD 2.0 --> MsiExec.exe /I{5D652EC3-8AC0-41E7-B337-162BC7B01148}
Safari --> MsiExec.exe /I{40589552-3892-409E-B92C-9F5032A4B2F0}
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SmartAudio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AEF7A12C-CD9B-4773-8AD1-6916138CA7EA}\setup.exe" -l0x9 -removeonly -S
Sonic Audio Module --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic Copy Module --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic Data Module --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
VPN Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5624C000-B109-11D4-9DB4-00E0290FCAC5}\Setup.exe" -l0x9 VpnUninstall
WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinZip 11.2 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B6}
ZoneAlarm Pro --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type665 / Error
Event Submitted/Written: 06/12/2008 10:18:23 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application ssi.exe, version 3.1.0.26, faulting module ntdll.dll, version 5.1.2600.5512, fault address 0x00002cd2.
Processing media-specific event for [ssi.exe!ws!]

Event Record #/Type664 / Error
Event Submitted/Written: 06/12/2008 10:17:36 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 752337601.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type663 / Error
Event Submitted/Written: 06/12/2008 10:17:31 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application ssi.exe, version 3.1.0.26, faulting module ntdll.dll, version 5.1.2600.5512, fault address 0x00002cd2.
Processing media-specific event for [ssi.exe!ws!]

Event Record #/Type661 / Error
Event Submitted/Written: 06/12/2008 10:11:27 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application ssi.exe, version 3.1.0.26, faulting module ntdll.dll, version 5.1.2600.5512, fault address 0x00002cd2.
Processing media-specific event for [ssi.exe!ws!]

Event Record #/Type659 / Error
Event Submitted/Written: 06/12/2008 10:08:35 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application ssi.exe, version 3.1.0.26, faulting module ntdll.dll, version 5.1.2600.5512, fault address 0x00002cd2.
Processing media-specific event for [ssi.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3968 / Error
Event Submitted/Written: 06/16/2008 01:36:17 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SysEnforce service failed to start due to the following error:
%%2

Event Record #/Type3929 / Error
Event Submitted/Written: 06/16/2008 10:58:15 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SysEnforce service failed to start due to the following error:
%%2

Event Record #/Type3901 / Error
Event Submitted/Written: 06/16/2008 10:50:13 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SysEnforce service failed to start due to the following error:
%%2

Event Record #/Type3875 / Error
Event Submitted/Written: 06/16/2008 10:33:55 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SysEnforce service failed to start due to the following error:
%%2

Event Record #/Type3867 / Error
Event Submitted/Written: 06/16/2008 10:16:46 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126



-- End of Deckard's System Scanner: finished at 2008-06-16 13:56:22 ------------

That's it. Once again Thanks for your time.

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:57 PM

Posted 16 June 2008 - 01:24 PM

Hello jakenbrock,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
 It is intended by its creator to be used under the guidance and supervision of an expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your McAfee Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts

To disable McAfee Virusscan:  
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Exit."
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the McAfee Guard.


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

 When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT 
If you have SP3 installed, SP2 or even SP1 package will work.
It is a simple procedure that will only take a few moments of your time.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read  here   what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 16 June 2008 - 01:53 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 jakenbrock

jakenbrock
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 16 June 2008 - 05:48 PM

Hi SifuMike

Thanks in advance. I've nearly completed Combofix as instructed and was away from the computer when I heard the tell-tale computer restart sound and thought that combofix must perform a restart during it's running process.
I returned to my computer only to find that because of the restart process the antivirus software i have (McAfee, SpyBot and ZoneAlarm) relaunched themselves with the computer restart. Combofix appears to have stalled in the background whilst SpyBot is asking for an "ALLOW" or "DENY" to the following - Category: System Startup User Entry; Change: Value Delete; Entry: Microsoft Windows Installer; Old Data: C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\23424.exe
ZoneAlarm has alerted me to and wants clearance for the following SUSPICIOUS BEHAVIOUR - "Cpqset.exe is trying to set 'Cpqset' to run each time your computer is started" Application: Cpqset

Should I allow or deny the two alerts? Will it be detrimental to the completion of Combofix? Currently the blue ComboFix screen in the background reads:

Preparing Log Report
Do not run any programs until ComboFix has finished

Obviously sending you this from another terminal, will waiting instruction before continuing.

Jake

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:57 PM

Posted 16 June 2008 - 06:09 PM

Hi jake,

Should I allow or deny the two alerts?


From ZA : Cpqset.exe is a valid file so do not delete it.
From Teatimer: 23424.exe is a malware file so allow the file entries from Teatimer.


Will it be detrimental to the completion of Combofix?


Yes, McAfee, SpyBot and ZoneAlarm and should be disabled so ComboFix can run smoothly.
Teatimer will go nuts if you leave it on while ComboFix is working. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 jakenbrock

jakenbrock
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 16 June 2008 - 06:45 PM

Sorry, I disabled them but didn't realise that the restart would occur halfway thru. Turned off TeaTimer as suggested and ComboFix finished almost instantly, and hopefully successfully. As mentioned, hopefully the anti-virus programs haven't comprimised the info in the log. BTW when can I start virus protection backup?

Please find my ComboFix log below:

ComboFix 08-06-15.4 - Owner 2008-06-17 8:22:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.583 [GMT 10:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
ADS - svchost.exe: deleted 0 bytes in 1 streams.
ADS - explorer.exe: deleted 0 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\s
C:\Documents and Settings\Owner\Temporary Internet Files\firmware.inf
C:\Documents and Settings\Owner\Temporary Internet Files\ip3picfile.temp
C:\Documents and Settings\Owner\Temporary Internet Files\ip3Wmapic.temp
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\vtmp2
C:\Temp\vtmp2\ktnv33.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\system32\AcJSAGgh.ini
C:\WINDOWS\system32\AcJSAGgh.ini2
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\viuvhjsw.dll
C:\WINDOWS\system32\wsjhvuiv.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-16 18:35 . 2008-06-16 18:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-16 18:35 . 2008-06-16 18:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-13 15:30 . 2008-06-13 15:30 <DIR> d----c--- C:\Deckard
2008-06-13 12:04 . 2008-06-13 12:04 <DIR> d----c--- C:\qrnt
2008-06-13 10:28 . 2008-06-13 10:28 <DIR> d----c--- C:\VundoFix Backups
2008-06-12 22:00 . 2008-06-12 22:00 <DIR> d-------- C:\Program Files\Trisnap Technologies
2008-06-12 22:00 . 2004-03-09 01:00 662,288 --a------ C:\WINDOWS\system32\mscomct2.ocx
2008-06-12 22:00 . 2006-04-13 22:05 159,744 --a------ C:\WINDOWS\system32\hasher.dll
2008-06-12 22:00 . 2001-03-13 18:49 140,288 --a------ C:\WINDOWS\system32\Comdlg32.ocx
2008-06-12 19:05 . 2008-06-12 19:05 <DIR> d-------- C:\Program Files\Zone Labs
2008-06-12 18:44 . 2008-06-12 18:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-12 18:44 . 2008-06-12 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-12 18:01 . 2008-06-12 18:01 <DIR> d--hsc--- C:\Documents and Settings\LocalService\History
2008-06-12 14:50 . 2008-06-12 14:50 <DIR> d----c--- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-06-12 14:49 . 2008-06-12 14:50 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-06-12 14:49 . 2008-06-13 19:10 <DIR> d----c--- C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-06-12 14:49 . 2008-06-12 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-12 14:49 . 2008-06-12 14:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-12 14:47 . 2007-12-01 11:32 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-06-12 14:47 . 2007-12-01 11:32 79,304 --a------ C:\WINDOWS\system32\drivers\MfeAVFK.sys
2008-06-12 14:47 . 2007-12-01 11:33 55,016 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-06-12 14:47 . 2007-12-01 11:32 35,240 --a------ C:\WINDOWS\system32\drivers\MfeBOPK.sys
2008-06-12 14:47 . 2007-12-01 11:32 33,832 --a------ C:\WINDOWS\system32\drivers\MfeRKDK.sys
2008-06-12 14:41 . 2008-06-12 14:41 <DIR> d-------- C:\Program Files\McAfee
2008-06-12 13:12 . 2008-06-12 13:12 9,662 --a------ C:\WINDOWS\system32\blackip.ico
2008-06-12 11:42 . 2008-06-16 13:35 <DIR> d-------- C:\Program Files\altcmd
2008-06-12 11:42 . 2008-06-12 11:42 163,840 --a------ C:\WINDOWS\system32\2q4w4e.exe
2008-06-12 10:42 . 2008-06-12 17:06 <DIR> d-------- C:\WINDOWS\system32\vntiho06
2008-06-12 10:42 . 2008-06-12 17:05 <DIR> d-------- C:\WINDOWS\system32\bip
2008-06-12 10:42 . 2008-06-12 17:05 <DIR> d-------- C:\WINDOWS\system32\BE1
2008-06-12 10:42 . 2008-06-12 10:42 <DIR> d-------- C:\WINDOWS\system32\40541
2008-06-12 10:42 . 2008-06-17 08:22 <DIR> d----c--- C:\Temp
2008-06-12 10:41 . 2008-06-12 10:41 49,158 --a------ C:\WINDOWS\444.0
2008-06-11 14:33 . 2008-04-14 22:30 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 14:33 . 2008-05-09 00:02 203,136 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-02 20:37 . 2008-06-02 20:50 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-01 11:33 . 2008-06-01 11:33 <DIR> d----c--- C:\Documents and Settings\Owner\Application Data\Sonic
2008-06-01 11:33 . 2008-06-01 11:33 <DIR> d----c--- C:\Documents and Settings\Owner\Application Data\Leadertech
2008-05-31 22:01 . 2008-05-31 22:01 <DIR> d-------- C:\WINDOWS\Sun
2008-05-31 20:34 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-31 13:17 . 2008-05-31 13:17 <DIR> d--hsc--- C:\Documents and Settings\NetworkService\Temporary Internet Files
2008-05-31 13:17 . 2008-05-31 13:17 <DIR> d--hsc--- C:\Documents and Settings\NetworkService\History
2008-05-26 21:27 . 2008-05-26 21:28 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-25 19:33 . 2008-05-25 19:50 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-21 20:07 . 2008-05-21 20:07 203,776 --a------ C:\WINDOWS\system32\clrviddc.dll
2008-05-18 15:05 . 2008-05-18 15:05 <DIR> d-------- C:\Program Files\iriver
2008-05-17 18:09 . 2008-05-17 18:09 <DIR> d----c--- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-05-17 15:42 . 2008-05-17 15:53 <DIR> d-------- C:\Program Files\MP3Gain
2008-05-17 12:59 . 2008-05-17 12:59 <DIR> d-------- C:\Program Files\Safari
2008-05-17 12:58 . 2008-05-17 12:58 <DIR> d-------- C:\Program Files\QuickTime
2008-05-17 12:58 . 2008-05-17 12:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-17 12:55 . 2008-05-17 12:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-17 12:55 . 2008-05-17 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-16 21:12 . 2008-05-16 21:12 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-16 21:01 . 2008-05-16 21:01 <DIR> d----c--- C:\Documents and Settings\Owner\Application Data\Talkback
2008-05-16 20:23 . 2008-05-16 20:23 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-16 20:19 . 2008-05-16 20:19 <DIR> d-------- C:\Program Files\Real
2008-05-16 20:19 . 2008-05-16 21:12 <DIR> d-------- C:\Program Files\Common Files\Real
2008-05-16 19:55 . 2008-05-16 19:55 <DIR> d-------- C:\Program Files\LimeWire
2008-05-16 19:55 . 2008-06-12 15:50 <DIR> d----c--- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-05-16 18:07 . 2008-05-16 18:07 <DIR> d-------- C:\Program Files\Common Files\Control Panels

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 22:29 --------- dc----w C:\Documents and Settings\All Users\Application Data\RetroExp
2008-06-15 23:17 32,240 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-06-15 23:17 26,352 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-06-15 23:17 21,488 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-06-15 23:17 21,104 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-06-08 08:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-31 10:34 --------- d-----w C:\Program Files\Java
2008-05-17 02:58 --------- d-----w C:\Program Files\Bonjour
2008-05-15 12:20 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-15 10:52 --------- d-----w C:\Program Files\Retrospect
2008-05-15 10:46 --------- d-----w C:\Program Files\Western Digital Technologies
2008-05-14 12:32 --------- dc----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-14 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\ALM
2008-05-14 12:18 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-05-13 10:52 --------- d-----w C:\Program Files\Oberon Media
2008-05-13 10:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-13 10:43 --------- d-----w C:\Program Files\Microsoft Works
2008-05-13 10:26 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-05-13 10:18 --------- dc----w C:\Documents and Settings\Owner\Application Data\EndNote
2008-05-13 10:10 --------- dc----w C:\Documents and Settings\Owner\Application Data\muvee Technologies
2008-05-13 10:10 --------- dc----w C:\Documents and Settings\All Users\Application Data\muvee Technologies
2008-05-13 08:35 --------- d-----w C:\Program Files\Google
2008-05-09 00:46 --------- d-----w C:\Program Files\Common Files\Risxtd
2008-05-09 00:41 --------- d-----w C:\Program Files\CyberLink
2008-05-09 00:38 --------- d-----w C:\Program Files\Ahead
2008-05-09 00:37 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-09 00:24 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-05-09 00:24 --------- d-----w C:\Program Files\Common Files\L&H
2008-05-09 00:21 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-09 00:16 --------- d-----w C:\Program Files\Synaptics
2008-05-09 00:16 --------- d-----w C:\Program Files\Sonic
2008-05-09 00:14 --------- d-----w C:\Program Files\NetWaiting
2008-05-09 00:14 --------- d-----w C:\Program Files\muvee Technologies
2008-05-09 00:13 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-09 00:13 --------- d-----w C:\Program Files\Intel
2008-05-09 00:12 --------- d-----w C:\Program Files\HPQ
2008-05-09 00:12 --------- d-----w C:\Program Files\HP
2008-05-09 00:12 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-09 00:12 --------- d-----w C:\Program Files\DivX
2008-05-09 00:12 --------- d-----w C:\Program Files\CONEXANT
2008-05-09 00:11 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-05-09 00:11 --------- d-----w C:\Program Files\Common Files\Java
2008-05-09 00:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-09 00:09 1,720 --sha-r C:\WINDOWS\system32\drivers\103C_HP_NTBK_Presario C300 (RU922PA#ABG)_YN_0Pres_QCND6490BCB_E433358371_46_I30C6_SHP_V78.08_BF.05_T060814_WXH2_L409_M1015_J60_7Intel_8Celeron M 430_91.73_#080509_N10EC8139_(RU922PA#ABG)_XMOBILE_CN10_Z_2F.05.MRK
2008-05-09 00:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-05-09 00:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\SBSI
2008-05-09 00:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-05-09 00:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\HP
2008-05-09 00:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-09 00:09 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2008-05-09 00:03 26,376 ----a-w C:\WINDOWS\system32\drivers\Vet-Filt.1
2008-05-09 00:03 21,128 ----a-w C:\WINDOWS\system32\drivers\Vet-Rec.1
2008-05-08 23:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-08 23:55 --------- dc----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-08 22:55 --------- dc----w C:\Documents and Settings\All Users\Application Data\CA
2008-05-08 22:55 --------- d-----w C:\Program Files\CA
2008-05-08 22:49 --------- d-----w C:\Program Files\Common Files\Deterministic Networks
2008-05-08 22:49 --------- d-----w C:\Program Files\Cisco Systems
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ------w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 00:11 376,832 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msinfo.dll
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32131238-5434-4234-4234-432432423432}]
2008-06-16 11:04 147456 --a------ C:\Program Files\altcmd\altcmd32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91648AB6-FA55-44C5-A074-7F8D58FB77B6}]
C:\WINDOWS\system32\hgGASJcA.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-23 20:34 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 10:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 15:58 458752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 22:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 22:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 22:17 118784]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-03 01:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 02:27 1015808]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-06-23 16:43 102400]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 01:11 49152]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 17:21 135168]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 12:50 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 12:23 1187840]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-05-22 19:30 181512]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"WD Button Manager"="WDBtnMgr.exe" [2008-05-15 20:46 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe" [2006-09-11 17:32 9371648]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 02:29 102400]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-16 21:12 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [2008-03-05 00:00 468288]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2008-03-05 00:00 87360]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6173\SiteAdv.exe" [2007-08-29 06:07 36640]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]
"f8c175b6"="C:\WINDOWS\system32\viuvhjsw.dll" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Retrospect\\Retrospect Express HD 2.0\\Retrospect.exe"=
"C:\\Program Files\\Retrospect\\Retrospect Express HD 2.0\\retrorun.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=

R2 EngineServer;EngineServer;"C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe" [2007-12-01 11:30]
S2 myAgtSvc;McAfee Virus and Spyware Protection Service;"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /ServiceStart []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 03:17:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 08:28:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Retrospect\Retrospect Express HD 2.0\retrorun.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-06-17 9:37:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-16 23:37:33

Pre-Run: 17,010,057,216 bytes free
Post-Run: 17,090,650,112 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

269 --- E O F --- 2008-06-11 04:36:59

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:57 PM

Posted 16 June 2008 - 07:12 PM

BTW when can I start virus protection backup?


I assume you mean enable your antivirus. You can enable it now. :thumbsup:

I will be gone for several hours, so it may be this evening before I have a change to look at your log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:57 PM

Posted 16 June 2008 - 11:18 PM

Hi jakenbrock,

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File::
C:\Documents and Settings\Owner\Application Data\temp.dll 
C:\WINDOWS\system32\2q4w4e.exe
C:\Program Files\altcmd\altcmd32.dll
C:\Program Files\altcmd\altcmd32.dll1
C:\WINDOWS\444.0

Folder:: 
C:\VundoFix Backups 

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32131238-5434-4234-4234-432432423432}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91648AB6-FA55-44C5-A074-7F8D58FB77B6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"f8c175b6"=-


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 jakenbrock

jakenbrock
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 17 June 2008 - 01:22 AM

As requested SifuMike...



ComboFix 08-06-15.4 - Owner 2008-06-17 16:07:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.604 [GMT 10:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Owner\Application Data\temp.dll
C:\Program Files\altcmd\altcmd32.dll
C:\Program Files\altcmd\altcmd32.dll1
C:\WINDOWS\444.0
C:\WINDOWS\system32\2q4w4e.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\altcmd\altcmd32.dll
C:\VundoFix Backups
C:\WINDOWS\444.0
C:\WINDOWS\system32\2q4w4e.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-16 18:35 . 2008-06-16 18:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-16 18:35 . 2008-06-16 18:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-13 15:30 . 2008-06-13 15:30 <DIR> d----c--- C:\Deckard
2008-06-13 12:04 . 2008-06-13 12:04 <DIR> d----c--- C:\qrnt
2008-06-12 22:00 . 2008-06-12 22:00 <DIR> d-------- C:\Program Files\Trisnap Technologies
2008-06-12 22:00 . 2004-03-09 01:00 662,288 --a------ C:\WINDOWS\system32\mscomct2.ocx
2008-06-12 22:00 . 2006-04-13 22:05 159,744 --a------ C:\WINDOWS\system32\hasher.dll
2008-06-12 22:00 . 2001-03-13 18:49 140,288 --a------ C:\WINDOWS\system32\Comdlg32.ocx
2008-06-12 19:05 . 2008-06-12 19:05 <DIR> d-------- C:\Program Files\Zone Labs
2008-06-12 18:44 . 2008-06-12 18:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-12 18:44 . 2008-06-12 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-12 18:01 . 2008-06-12 18:01 <DIR> d--hsc--- C:\Documents and Settings\LocalService\History
2008-06-12 14:50 . 2008-06-12 14:50 <DIR> d----c--- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-06-12 14:49 . 2008-06-12 14:50 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-06-12 14:49 . 2008-06-13 19:10 <DIR> d----c--- C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-06-12 14:49 . 2008-06-12 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-12 14:49 . 2008-06-12 14:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-12 14:47 . 2007-12-01 11:32 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-06-12 14:47 . 2007-12-01 11:32 79,304 --a------ C:\WINDOWS\system32\drivers\MfeAVFK.sys
2008-06-12 14:47 . 2007-12-01 11:33 55,016 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-06-12 14:47 . 2007-12-01 11:32 35,240 --a------ C:\WINDOWS\system32\drivers\MfeBOPK.sys
2008-06-12 14:47 . 2007-12-01 11:32 33,832 --a------ C:\WINDOWS\system32\drivers\MfeRKDK.sys
2008-06-12 14:41 . 2008-06-12 14:41 <DIR> d-------- C:\Program Files\McAfee
2008-06-12 13:12 . 2008-06-12 13:12 9,662 --a------ C:\WINDOWS\system32\blackip.ico
2008-06-12 11:42 . 2008-06-17 16:07 <DIR> d-------- C:\Program Files\altcmd
2008-06-12 10:42 . 2008-06-12 17:06 <DIR> d-------- C:\WINDOWS\system32\vntiho06
2008-06-12 10:42 . 2008-06-12 17:05 <DIR> d-------- C:\WINDOWS\system32\bip
2008-06-12 10:42 . 2008-06-12 17:05 <DIR> d-------- C:\WINDOWS\system32\BE1
2008-06-12 10:42 . 2008-06-12 10:42 <DIR> d-------- C:\WINDOWS\system32\40541
2008-06-12 10:42 . 2008-06-17 08:22 <DIR> d----c--- C:\Temp
2008-06-11 14:33 . 2008-04-14 22:30 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 14:33 . 2008-05-09 00:02 203,136 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-02 20:37 . 2008-06-02 20:50 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-01 11:33 . 2008-06-01 11:33 <DIR> d----c--- C:\Documents and Settings\Owner\Application Data\Sonic
2008-06-01 11:33 . 2008-06-01 11:33 <DIR> d----c--- C:\Documents and Settings\Owner\Application Data\Leadertech
2008-05-31 22:01 . 2008-05-31 22:01 <DIR> d-------- C:\WINDOWS\Sun
2008-05-31 20:34 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-31 13:17 . 2008-05-31 13:17 <DIR> d--hsc--- C:\Documents and Settings\NetworkService\Temporary Internet Files
2008-05-31 13:17 . 2008-05-31 13:17 <DIR> d--hsc--- C:\Documents and Settings\NetworkService\History
2008-05-26 21:27 . 2008-05-26 21:28 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-25 19:33 . 2008-05-25 19:50 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-21 20:07 . 2008-05-21 20:07 203,776 --a------ C:\WINDOWS\system32\clrviddc.dll
2008-05-18 15:05 . 2008-05-18 15:05 <DIR> d-------- C:\Program Files\iriver
2008-05-17 18:09 . 2008-05-17 18:09 <DIR> d----c--- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-05-17 15:42 . 2008-05-17 15:53 <DIR> d-------- C:\Program Files\MP3Gain
2008-05-17 12:59 . 2008-05-17 12:59 <DIR> d-------- C:\Program Files\Safari
2008-05-17 12:58 . 2008-05-17 12:58 <DIR> d-------- C:\Program Files\QuickTime
2008-05-17 12:58 . 2008-05-17 12:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-17 12:55 . 2008-05-17 12:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-17 12:55 . 2008-05-17 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 00:39 --------- dc----w C:\Documents and Settings\All Users\Application Data\RetroExp
2008-06-15 23:17 32,240 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-06-15 23:17 26,352 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-06-15 23:17 21,488 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-06-15 23:17 21,104 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-06-12 10:07 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-12 05:50 --------- dc----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-06-12 05:03 99,592 ----a-w C:\WINDOWS\system32\isafeif.dll
2008-06-12 05:03 83,256 ----a-w C:\WINDOWS\system32\vetredir.dll
2008-06-12 05:03 218,424 ----a-w C:\WINDOWS\system32\isafserv.dll
2008-06-12 05:03 144,696 ----a-w C:\WINDOWS\system32\isafe.exe
2008-06-12 05:03 107,784 ----a-w C:\WINDOWS\system32\isafinst.exe
2008-06-08 08:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-31 10:34 --------- d-----w C:\Program Files\Java
2008-05-17 02:58 --------- d-----w C:\Program Files\Bonjour
2008-05-16 11:12 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-05-16 11:12 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-05-16 11:12 --------- d-----w C:\Program Files\Common Files\xing shared
2008-05-16 11:12 --------- d-----w C:\Program Files\Common Files\Real
2008-05-16 11:01 --------- dc----w C:\Documents and Settings\Owner\Application Data\Talkback
2008-05-16 10:19 --------- d-----w C:\Program Files\Real
2008-05-16 09:55 --------- d-----w C:\Program Files\LimeWire
2008-05-16 08:07 --------- d-----w C:\Program Files\Common Files\Control Panels
2008-05-15 12:20 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-15 10:52 --------- d-----w C:\Program Files\Retrospect
2008-05-15 10:46 339,968 ----a-w C:\WINDOWS\system32\WDBtnMgr.exe
2008-05-15 10:46 --------- d-----w C:\Program Files\Western Digital Technologies
2008-05-14 12:32 --------- dc----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-14 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\ALM
2008-05-14 12:18 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-05-13 10:52 --------- d-----w C:\Program Files\Oberon Media
2008-05-13 10:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-13 10:43 --------- d-----w C:\Program Files\Microsoft Works
2008-05-13 10:26 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-05-13 10:18 --------- dc----w C:\Documents and Settings\Owner\Application Data\EndNote
2008-05-13 10:10 --------- dc----w C:\Documents and Settings\Owner\Application Data\muvee Technologies
2008-05-13 10:10 --------- dc----w C:\Documents and Settings\All Users\Application Data\muvee Technologies
2008-05-13 08:35 --------- d-----w C:\Program Files\Google
2008-05-09 00:46 --------- d-----w C:\Program Files\Common Files\Risxtd
2008-05-09 00:41 --------- d-----w C:\Program Files\CyberLink
2008-05-09 00:38 --------- d-----w C:\Program Files\Ahead
2008-05-09 00:37 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-09 00:24 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-05-09 00:24 --------- d-----w C:\Program Files\Common Files\L&H
2008-05-09 00:21 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-09 00:16 --------- d-----w C:\Program Files\Synaptics
2008-05-09 00:16 --------- d-----w C:\Program Files\Sonic
2008-05-09 00:14 --------- d-----w C:\Program Files\NetWaiting
2008-05-09 00:14 --------- d-----w C:\Program Files\muvee Technologies
2008-05-09 00:13 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-09 00:13 --------- d-----w C:\Program Files\Intel
2008-05-09 00:12 --------- d-----w C:\Program Files\HPQ
2008-05-09 00:12 --------- d-----w C:\Program Files\HP
2008-05-09 00:12 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-09 00:12 --------- d-----w C:\Program Files\DivX
2008-05-09 00:12 --------- d-----w C:\Program Files\CONEXANT
2008-05-09 00:11 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-05-09 00:11 --------- d-----w C:\Program Files\Common Files\Java
2008-05-09 00:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-09 00:09 1,720 --sha-r C:\WINDOWS\system32\drivers\103C_HP_NTBK_Presario C300 (RU922PA#ABG)_YN_0Pres_QCND6490BCB_E433358371_46_I30C6_SHP_V78.08_BF.05_T060814_WXH2_L409_M1015_J60_7Intel_8Celeron M 430_91.73_#080509_N10EC8139_(RU922PA#ABG)_XMOBILE_CN10_Z_2F.05.MRK
2008-05-09 00:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-05-09 00:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\SBSI
2008-05-09 00:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-05-09 00:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\HP
2008-05-09 00:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-09 00:09 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2008-05-09 00:03 26,376 ----a-w C:\WINDOWS\system32\drivers\Vet-Filt.1
2008-05-09 00:03 21,128 ----a-w C:\WINDOWS\system32\drivers\Vet-Rec.1
2008-05-08 23:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-08 23:55 --------- dc----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-08 22:55 --------- dc----w C:\Documents and Settings\All Users\Application Data\CA
2008-05-08 22:55 --------- d-----w C:\Program Files\CA
2008-05-08 22:49 --------- d-----w C:\Program Files\Common Files\Deterministic Networks
2008-05-08 22:49 --------- d-----w C:\Program Files\Cisco Systems
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 12:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\dllcache\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-13 19:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-13 19:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\dllcache\portcls.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\dllcache\i8042prt.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\dllcache\ks.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-17_ 8.34.18.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-16 22:26:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-17 00:22:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-16 21:53:01 300,680 ----a-w C:\WINDOWS\system32\arclib.dll
+ 2008-06-16 22:38:49 300,680 ------w C:\WINDOWS\system32\arclib.dll
- 2008-06-16 21:53:04 95,472 ----a-w C:\WINDOWS\system32\avshlext.dll
+ 2008-06-16 22:38:51 95,472 ------w C:\WINDOWS\system32\avshlext.dll
- 2008-06-16 21:53:03 369,904 ----a-w C:\WINDOWS\system32\caav.exe
+ 2008-06-16 22:38:51 369,904 ------w C:\WINDOWS\system32\caav.exe
- 2008-06-16 21:53:03 152,816 ----a-w C:\WINDOWS\system32\caavcmdscan.exe
+ 2008-06-16 22:38:51 152,816 ------w C:\WINDOWS\system32\caavcmdscan.exe
- 2008-06-16 21:53:03 226,544 ----a-w C:\WINDOWS\system32\caavguiscan.exe
+ 2008-06-16 22:38:51 226,544 ------w C:\WINDOWS\system32\caavguiscan.exe
- 2008-06-16 21:53:04 201,968 ----a-w C:\WINDOWS\system32\caavimages.dll
+ 2008-06-16 22:38:52 201,968 ------w C:\WINDOWS\system32\caavimages.dll
- 2008-06-16 21:53:04 8,432 ----a-w C:\WINDOWS\system32\caavproduct.dll
+ 2008-06-16 22:38:52 8,432 ------w C:\WINDOWS\system32\caavproduct.dll
- 2008-06-16 21:53:04 79,088 ----a-w C:\WINDOWS\system32\caavresource.dll
+ 2008-06-16 22:38:52 79,088 ------w C:\WINDOWS\system32\caavresource.dll
- 2008-06-16 21:53:04 214,256 ----a-w C:\WINDOWS\system32\caavscan.dll
+ 2008-06-16 22:38:51 214,256 ------w C:\WINDOWS\system32\caavscan.dll
- 2008-06-16 21:53:03 398,576 ----a-w C:\WINDOWS\system32\cavrep.exe
+ 2008-06-16 22:38:51 398,576 ------w C:\WINDOWS\system32\cavrep.exe
- 2008-06-16 21:53:04 234,736 ----a-w C:\WINDOWS\system32\cavrid.exe
+ 2008-06-16 22:38:51 234,736 ------w C:\WINDOWS\system32\cavrid.exe
- 2008-06-16 21:53:04 222,448 ----a-w C:\WINDOWS\system32\driverif.dll
+ 2008-06-16 22:38:51 222,448 ------w C:\WINDOWS\system32\driverif.dll
- 2008-06-16 21:53:04 91,376 ----a-w C:\WINDOWS\system32\isafprod.dll
+ 2008-06-16 22:38:52 91,376 ------w C:\WINDOWS\system32\isafprod.dll
- 2008-06-16 21:45:55 62,746 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-17 00:27:28 62,746 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-16 21:45:55 401,632 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-17 00:27:28 401,632 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-06-16 21:53:05 120,048 ----a-w C:\WINDOWS\system32\unvet32.exe
+ 2008-06-16 22:38:52 120,048 ------w C:\WINDOWS\system32\unvet32.exe
- 2008-06-16 21:53:04 28,160 ----a-w C:\WINDOWS\system32\vdmdbg.dll
+ 2008-06-16 22:38:51 28,160 ------w C:\WINDOWS\system32\vdmdbg.dll
- 2008-06-16 21:53:04 251,120 ----a-w C:\WINDOWS\system32\vetmsg.exe
+ 2008-06-16 22:38:51 251,120 ------w C:\WINDOWS\system32\vetmsg.exe
- 2008-06-16 21:53:05 10,992 ----a-w C:\WINDOWS\system32\vetntmsg.dll
+ 2008-06-16 22:38:52 10,992 ------w C:\WINDOWS\system32\vetntmsg.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-23 20:34 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 10:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 15:58 458752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 22:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 22:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 22:17 118784]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-03 01:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 02:27 1015808]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-06-23 16:43 102400]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 01:11 49152]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 17:21 135168]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 12:50 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 12:23 1187840]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-05-22 19:30 181512]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"WD Button Manager"="WDBtnMgr.exe" [2008-05-15 20:46 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe" [2006-09-11 17:32 9371648]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 02:29 102400]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-16 21:12 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [2008-03-05 00:00 468288]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2008-03-05 00:00 87360]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6173\SiteAdv.exe" [2007-08-29 06:07 36640]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Retrospect\\Retrospect Express HD 2.0\\Retrospect.exe"=
"C:\\Program Files\\Retrospect\\Retrospect Express HD 2.0\\retrorun.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=

R2 EngineServer;EngineServer;"C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe" [2007-12-01 11:30]
S4 myAgtSvc;McAfee Virus and Spyware Protection Service;"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /ServiceStart []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 03:17:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 16:10:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???H]??????`?@?????L?@

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-06-17 16:12:57
ComboFix-quarantined-files.txt 2008-06-17 06:11:54
ComboFix2.txt 2008-06-16 23:37:43

Pre-Run: 17,058,734,080 bytes free
Post-Run: 17,051,443,200 bytes free

294 --- E O F --- 2008-06-11 04:36:59











Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-17 16:13:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:46 PM, on 17/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe /h
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=presario&pf=laptop
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9500 bytes

-- Files created between 2008-05-17 and 2008-06-17 -----------------------------

2008-06-17 08:22:08 0 d------c- C:\cmdcons
2008-06-17 08:20:27 68096 --a------ C:\WINDOWS\zip.exe
2008-06-17 08:20:27 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-17 08:20:27 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-17 08:20:27 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-17 08:20:27 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-17 08:20:27 98816 --a------ C:\WINDOWS\sed.exe
2008-06-17 08:20:27 80412 --a------ C:\WINDOWS\grep.exe
2008-06-17 08:20:27 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-13 12:04:03 0 d------c- C:\qrnt
2008-06-12 22:00:27 159744 --a------ C:\WINDOWS\system32\hasher.dll <Not Verified; ; hasher Dynamic Link Library>
2008-06-12 22:00:26 0 d-------- C:\Program Files\Trisnap Technologies
2008-06-12 19:51:03 0 -rahs--c- C:\MSDOS.SYS
2008-06-12 19:51:03 0 -rahs--c- C:\IO.SYS
2008-06-12 19:05:25 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-12 19:05:15 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-06-12 18:44:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-12 18:01:31 0 d--hs--c- C:\Documents and Settings\LocalService\History
2008-06-12 14:50:05 0 d------c- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-06-12 14:49:46 0 d-------- C:\Program Files\SiteAdvisor
2008-06-12 14:49:46 0 d------c- C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-06-12 14:49:46 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-12 14:49:46 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-12 14:41:42 0 d-------- C:\Program Files\McAfee
2008-06-12 11:42:27 0 d-------- C:\Program Files\altcmd
2008-06-12 10:42:14 0 d-------- C:\WINDOWS\system32\bip
2008-06-12 10:42:14 0 d-------- C:\WINDOWS\system32\BE1
2008-06-12 10:42:14 0 d-------- C:\WINDOWS\system32\40541
2008-06-12 10:42:09 0 d-------- C:\WINDOWS\system32\vntiho06
2008-06-12 10:42:09 0 d------c- C:\Temp
2008-06-02 20:37:00 0 d------c- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-01 11:33:18 0 d------c- C:\Documents and Settings\Owner\Application Data\Sonic
2008-06-01 11:33:08 0 d------c- C:\Documents and Settings\Owner\Application Data\Leadertech
2008-05-31 22:01:38 0 d-------- C:\WINDOWS\Sun
2008-05-31 22:01:38 0 d------c- C:\Documents and Settings\Owner\Application Data\Sun
2008-05-31 13:17:06 0 d--hs--c- C:\Documents and Settings\NetworkService\Temporary Internet Files
2008-05-31 13:17:06 0 d--hs--c- C:\Documents and Settings\NetworkService\History
2008-05-26 21:27:43 0 d-------- C:\WINDOWS\system32\Adobe
2008-05-25 19:33:12 0 d-a----c- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-21 20:07:56 203776 --a------ C:\WINDOWS\system32\clrviddc.dll <Not Verified; Iterated Systems, Inc.; ClearVideo Decoder DLL>
2008-05-18 15:05:20 0 d-------- C:\Program Files\iriver
2008-05-17 18:09:12 0 d------c- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-05-17 15:42:20 0 d-------- C:\Program Files\MP3Gain
2008-05-17 12:59:23 0 d-------- C:\Program Files\Safari
2008-05-17 12:58:33 0 d-------- C:\Program Files\QuickTime
2008-05-17 12:58:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-17 12:55:37 0 d-------- C:\Program Files\Apple Software Update
2008-05-17 12:55:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2008-06-12 15:50:43 0 d------c- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-06-10 21:11:57 0 d------c- C:\Documents and Settings\Owner\Application Data\Adobe
2008-06-08 18:22:01 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-31 20:34:39 0 d-------- C:\Program Files\Java
2008-05-17 12:58:20 0 d-------- C:\Program Files\Bonjour
2008-05-16 21:12:37 0 d-------- C:\Program Files\Common Files
2008-05-16 21:12:37 0 d-------- C:\Program Files\Common Files\xing shared
2008-05-16 21:12:33 0 d-------- C:\Program Files\Common Files\Real
2008-05-16 21:01:59 0 d------c- C:\Documents and Settings\Owner\Application Data\Talkback
2008-05-16 20:25:39 0 d------c- C:\Documents and Settings\Owner\Application Data\Real
2008-05-16 20:23:46 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-16 20:23:41 0 d------c- C:\Documents and Settings\Owner\Application Data\Mozilla
2008-05-16 20:19:22 0 d-------- C:\Program Files\Real
2008-05-16 19:55:33 0 d-------- C:\Program Files\LimeWire
2008-05-16 18:07:33 0 d-------- C:\Program Files\Common Files\Control Panels
2008-05-15 22:20:02 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-15 21:24:44 0 d-------- C:\Program Files\Messenger
2008-05-15 21:24:28 0 d-------- C:\Program Files\Movie Maker
2008-05-15 21:22:07 0 d-------- C:\Program Files\Windows NT
2008-05-15 20:52:56 0 d-------- C:\Program Files\Retrospect
2008-05-15 20:46:45 0 d-------- C:\Program Files\Western Digital Technologies
2008-05-15 20:46:43 339968 --a------ C:\WINDOWS\system32\WDBtnMgr.exe <Not Verified; Western Digital Technologies, Inc.; WD Button Manager>
2008-05-14 22:18:03 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-13 21:03:07 0 d-------- C:\Program Files\Online Services
2008-05-13 20:52:58 0 d-------- C:\Program Files\Oberon Media
2008-05-13 20:45:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-13 20:43:56 0 d-------- C:\Program Files\Microsoft Works
2008-05-13 20:39:19 19 --a------ C:\WINDOWS\popcinfo.dat
2008-05-13 20:26:09 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-05-13 20:18:54 0 d------c- C:\Documents and Settings\Owner\Application Data\EndNote
2008-05-13 20:10:58 0 d------c- C:\Documents and Settings\Owner\Application Data\muvee Technologies
2008-05-13 18:44:50 0 d------c- C:\Documents and Settings\Owner\Application Data\Google
2008-05-13 18:35:44 0 d-------- C:\Program Files\Google
2008-05-13 10:04:09 1024 ---h---c- C:\diskfile1
2008-05-09 10:46:29 0 d-------- C:\Program Files\Common Files\Risxtd
2008-05-09 10:41:06 0 d-------- C:\Program Files\CyberLink
2008-05-09 10:38:04 0 d-------- C:\Program Files\Ahead
2008-05-09 10:37:48 0 d-------- C:\Program Files\Common Files\Ahead
2008-05-09 10:24:14 0 d-------- C:\Program Files\Common Files\L&H
2008-05-09 10:24:00 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-05-09 10:21:32 0 d-------- C:\Program Files\Microsoft.NET
2008-05-09 10:16:59 0 d-------- C:\Program Files\Synaptics
2008-05-09 10:16:57 0 d-------- C:\Program Files\Sonic
2008-05-09 10:14:25 0 d-------- C:\Program Files\NetWaiting
2008-05-09 10:14:05 0 d-------- C:\Program Files\muvee Technologies
2008-05-09 10:14:04 0 d-------- C:\Program Files\MSN Gaming Zone
2008-05-09 10:13:19 0 d-------- C:\Program Files\microsoft frontpage
2008-05-09 10:13:10 0 d-------- C:\Program Files\Intel
2008-05-09 10:12:59 0 d-------- C:\Program Files\HPQ
2008-05-09 10:12:58 0 d-------- C:\Program Files\HP
2008-05-09 10:12:23 0 d-------- C:\Program Files\Hewlett-Packard
2008-05-09 10:12:05 0 d-------- C:\Program Files\DivX
2008-05-09 10:12:04 0 d-------- C:\Program Files\CONEXANT
2008-05-09 10:11:41 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-05-09 10:11:41 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-05-09 10:11:39 0 d-------- C:\Program Files\Common Files\ODBC
2008-05-09 10:11:25 0 d-------- C:\Program Files\Common Files\MSSoap
2008-05-09 10:11:15 0 d-------- C:\Program Files\Common Files\Java
2008-05-09 10:11:15 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-09 10:09:21 0 d------c- C:\Documents and Settings\Owner\Application Data\Macromedia
2008-05-09 10:09:21 0 d------c- C:\Documents and Settings\Owner\Application Data\Identities
2008-05-09 09:56:00 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-09 08:55:32 0 d-------- C:\Program Files\CA
2008-05-09 08:49:47 8 --a------ C:\WINDOWS\system32\success
2008-05-09 08:49:38 0 d-------- C:\Program Files\Common Files\Deterministic Networks
2008-05-09 08:49:10 0 d-------- C:\Program Files\Cisco Systems


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [04/05/2006 03:58 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [23/03/2006 10:17 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [23/03/2006 10:13 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [23/03/2006 10:17 PM]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [03/06/2006 01:02 AM C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [15/09/2007 02:27 AM]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [23/06/2006 04:43 PM]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [17/02/2005 01:11 AM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [02/06/2006 05:21 PM]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [19/06/2006 12:50 PM]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [11/10/2005 12:23 PM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04/08/2004 11:00 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [04/08/2004 11:00 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 11:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 11:00 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50 AM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [31/10/2003 07:42 PM]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [22/05/2008 07:30 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 10:16 PM]
"WD Button Manager"="WDBtnMgr.exe" [15/05/2008 08:46 PM C:\WINDOWS\system32\WDBtnMgr.exe]
"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe" [11/09/2006 05:32 PM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [15/09/2007 02:29 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [16/05/2008 09:12 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 11:37 PM]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [05/03/2008 12:00 AM]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [05/03/2008 12:00 AM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6173\SiteAdv.exe" [29/08/2007 06:07 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [23/05/2008 08:34 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 10:12 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc

*Newly Created Service* - CATCHME



-- End of Deckard's System Scanner: finished at 2008-06-17 16:15:33 ------------

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:57 PM

Posted 17 June 2008 - 12:36 PM

Hi jakenbrock,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Sun Java Runtime Environment 6 Update 6.
  • Scroll down to where it says "Sun Java Runtime Environment 6 Update 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 6.0 Update 5
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
*******************************************

Download CCleaner and install it. (default location is best). Do not run it yet!

Beginners Guide to CCleaner

*******************************************


Please run HijackThis and click "Scan." Place checks next to the following entries, if present:

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)


These are optional fixes. The following are not necessarily spyware/malware, but I suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
(Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe\"
(Description: Adobe reader startup - unnecessarily uses system resources.)

O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
(Description: Apple's QuickTime Tray Icon which enables you to start QuickTime from the System Tray (from version 5 onward). Given the extremely simple functionality of this Tray icon, it is in our view an unreasonable resource hog - it has been measured to use as much as 1.5Mb of memory at times in earlier versions, and in version 7 it uses as much as 3.4Mb of memory on our test systems. Yet, on Windows PCs hardly anyone starts QuickTime manually, whether from the System Tray or otherwise - what usually happens is that the end-user opens a QuickTime movie file or email attachment and Windows then automatically opens QuickTime to enable the end-user to view the movie or video. There is therefore almost never a need for the end-user to start QuickTime manually from the System Tray. )


Close all browsers and other windows except for HijackThis, and click "Fix checked"

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer, post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 jakenbrock

jakenbrock
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 17 June 2008 - 05:17 PM

Hi SifuMike,

I'm carrying out instruction as requested.

Uninstalled java and was performing the restart and got some error messages when spybot was closing that I thought I might post you. "Access violation at address 004B6BE9 in module 'TeaTimer.exe'. Read of address 00000010" and "Access violation at address 74E50DE8. Read of address 74E50DE8." Don't know what they mean but they went away only when I clicked the "end now" button to close spybot (they kept bouncing back at me otherwise).

Also I'm consistantly receiving message when I start up windows that I'm sure is linked to the removal of this virus/spyware stuff. It is "Error loading C:\WINDOWS\system32\viuvhjsw.dll. The specific module could not be found".

I'll get back to you with the HiJackThis log after CCleaner, etc. Thanks

Jake

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:57 PM

Posted 17 June 2008 - 05:35 PM

Uninstalled java and was performing the restart and got some error messages when spybot was closing that I thought I might post you. "Access violation at address 004B6BE9 in module 'TeaTimer.exe'. Read of address 00000010" and "Access violation at address 74E50DE8. Read of address 74E50DE8." Don't know what they mean but they went away only when I clicked the "end now" button to close spybot (they kept bouncing back at me otherwise).



I should have told you to disable Teatimer when uninstalling Java. It goes nuts when it sees things being removed from the registry. You did the right thing in closeing Teatimer.

Also I'm consistantly receiving message when I start up windows that I'm sure is linked to the removal of this virus/spyware stuff. It is "Error loading C:\WINDOWS\system32\viuvhjsw.dll. The specific module could not be found".


That is OK. Windows thinks that is a valid file. :thumbsup:

Edited by SifuMike, 17 June 2008 - 05:36 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 jakenbrock

jakenbrock
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 17 June 2008 - 06:26 PM

Thanks for clearing that up... do you have any suggestions I can do so that the "RUN.DLL / C:\WINDOWS\system32\viuvhjsw.dll" message goes away. If not no huge problem (that I can see). I believe the error may have been my fault as I suspected the "viuvhjsw.dll" file was part of the virus problem due to some sketchy spyware removal instructions. I made a copy of the .dll file to a flash disk and deleted it from the sysytem folder. Windows asked for it back on the next restart so I obliged. This all happened a few days before find you guys, sorry.

Anyways my HijackThis log below. CCleaner seemed to operate with no problems.

Ta Jakenbrock



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:45 AM, on 18/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\CA\CA Internet Security Suite\ccupdate\CCUpdate.exe
C:\Program Files\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {32131238-5434-4234-4234-432432423432} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {91648AB6-FA55-44C5-A074-7F8D58FB77B6} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe /h
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKLM\..\Run: [f8c175b6] rundll32.exe "C:\WINDOWS\system32\viuvhjsw.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=presario&pf=laptop
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9503 bytes

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:57 PM

Posted 17 June 2008 - 06:40 PM

I made a copy of the .dll file to a flash disk and deleted it from the sysytem folder. Windows asked for it back on the next restart so I obliged. This all happened a few days before find you guys, sorry.



Very bad! You restored a virus! :thumbsup: Never restore a file unless you know what it is.

I can see from the Hijackthis log it is still there.

Now we will have to start over. :)

Disable your antivirus programs (McAfee Antivirus) and antimalware programs (Teatimer) and run ComboFix, and post the ComboFix log.

Edited by SifuMike, 17 June 2008 - 06:44 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 jakenbrock

jakenbrock
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 17 June 2008 - 06:49 PM

All this happened a few days back. sorry. will start again though.

Jake

#15 jakenbrock

jakenbrock
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 17 June 2008 - 07:19 PM

Hi SifuMike

Please find my ComboFix log below... also did a HijackThis log, find it below ComboFix log. Gotta go out for a few hours. Sorry for the bother before. Thanks for the help again.

Jakenbrock


ComboFix 08-06-15.4 - Owner 2008-06-18 10:02:19.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.589 [GMT 10:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-18 09:12 . 2008-06-18 09:12 300,680 --a------ C:\WINDOWS\system32\arclib.1
2008-06-18 08:59 . 2008-06-18 08:59 <DIR> d-------- C:\Program Files\CCleaner
2008-06-18 08:34 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-13 15:30 . 2008-06-13 15:30 <DIR> d----c--- C:\Deckard
2008-06-13 12:04 . 2008-06-13 12:04 <DIR> d----c--- C:\qrnt
2008-06-12 22:00 . 2008-06-12 22:00 <DIR> d-------- C:\Program Files\Trisnap Technologies
2008-06-12 22:00 . 2004-03-09 01:00 662,288 --a------ C:\WINDOWS\system32\mscomct2.ocx
2008-06-12 22:00 . 2006-04-13 22:05 159,744 --a------ C:\WINDOWS\system32\hasher.dll
2008-06-12 22:00 . 2001-03-13 18:49 140,288 --a------ C:\WINDOWS\system32\Comdlg32.ocx
2008-06-12 19:05 . 2008-06-12 19:05 <DIR> d-------- C:\Program Files\Zone Labs
2008-06-12 18:44 . 2008-06-12 18:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-12 18:44 . 2008-06-12 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-12 18:01 . 2008-06-12 18:01 <DIR> d--hsc--- C:\Documents and Settings\LocalService\History
2008-06-12 14:50 . 2008-06-12 14:50 <DIR> d----c--- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-06-12 14:49 . 2008-06-12 14:50 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-06-12 14:49 . 2008-06-13 19:10 <DIR> d----c--- C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-06-12 14:49 . 2008-06-12 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-12 14:49 . 2008-06-12 14:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-12 14:47 . 2007-12-01 11:32 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-06-12 14:47 . 2007-12-01 11:32 79,304 --a------ C:\WINDOWS\system32\drivers\MfeAVFK.sys
2008-06-12 14:47 . 2007-12-01 11:33 55,016 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-06-12 14:47 . 2007-12-01 11:32 35,240 --a------ C:\WINDOWS\system32\drivers\MfeBOPK.sys
2008-06-12 14:47 . 2007-12-01 11:32 33,832 --a------ C:\WINDOWS\system32\drivers\MfeRKDK.sys
2008-06-12 14:41 . 2008-06-12 14:41 <DIR> d-------- C:\Program Files\McAfee
2008-06-12 13:12 . 2008-06-12 13:12 9,662 --a------ C:\WINDOWS\system32\blackip.ico
2008-06-12 11:42 . 2008-06-17 16:07 <DIR> d-------- C:\Program Files\altcmd
2008-06-12 10:42 . 2008-06-12 17:06 <DIR> d-------- C:\WINDOWS\system32\vntiho06
2008-06-12 10:42 . 2008-06-12 17:05 <DIR> d-------- C:\WINDOWS\system32\bip
2008-06-12 10:42 . 2008-06-12 17:05 <DIR> d-------- C:\WINDOWS\system32\BE1
2008-06-12 10:42 . 2008-06-12 10:42 <DIR> d-------- C:\WINDOWS\system32\40541
2008-06-12 10:42 . 2008-06-17 08:22 <DIR> d----c--- C:\Temp
2008-06-11 14:33 . 2008-04-14 22:30 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 14:33 . 2008-05-09 00:02 203,136 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-02 20:37 . 2008-06-02 20:50 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-01 11:33 . 2008-06-01 11:33 <DIR> d----c--- C:\Documents and Settings\Owner\Application Data\Sonic
2008-06-01 11:33 . 2008-06-01 11:33 <DIR> d----c--- C:\Documents and Settings\Owner\Application Data\Leadertech
2008-05-31 22:01 . 2008-05-31 22:01 <DIR> d-------- C:\WINDOWS\Sun
2008-05-31 13:17 . 2008-05-31 13:17 <DIR> d--hsc--- C:\Documents and Settings\NetworkService\Temporary Internet Files
2008-05-31 13:17 . 2008-05-31 13:17 <DIR> d--hsc--- C:\Documents and Settings\NetworkService\History
2008-05-26 21:27 . 2008-05-26 21:28 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-25 19:33 . 2008-05-25 19:50 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-21 20:07 . 2008-05-21 20:07 203,776 --a------ C:\WINDOWS\system32\clrviddc.dll
2008-05-18 15:05 . 2008-05-18 15:05 <DIR> d-------- C:\Program Files\iriver

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 23:07 --------- dc----w C:\Documents and Settings\All Users\Application Data\RetroExp
2008-06-17 22:34 --------- d-----w C:\Program Files\Java
2008-06-17 00:29 28,160 ------w C:\WINDOWS\system32\vdmdbg.dll
2008-06-15 23:17 32,240 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-06-15 23:17 26,352 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-06-15 23:17 21,488 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-06-15 23:17 21,104 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-06-12 10:07 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-12 05:50 --------- dc----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-06-12 05:03 99,592 ----a-w C:\WINDOWS\system32\isafeif.dll
2008-06-12 05:03 83,256 ----a-w C:\WINDOWS\system32\vetredir.dll
2008-06-12 05:03 218,424 ----a-w C:\WINDOWS\system32\isafserv.dll
2008-06-12 05:03 144,696 ----a-w C:\WINDOWS\system32\isafe.exe
2008-06-12 05:03 107,784 ----a-w C:\WINDOWS\system32\isafinst.exe
2008-06-08 08:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-17 08:09 --------- dc----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-05-17 05:53 --------- d-----w C:\Program Files\MP3Gain
2008-05-17 02:59 --------- d-----w C:\Program Files\Safari
2008-05-17 02:58 --------- d-----w C:\Program Files\QuickTime
2008-05-17 02:58 --------- d-----w C:\Program Files\Bonjour
2008-05-17 02:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-17 02:55 --------- d-----w C:\Program Files\Apple Software Update
2008-05-17 02:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-16 11:12 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-05-16 11:12 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-05-16 11:12 --------- d-----w C:\Program Files\Common Files\xing shared
2008-05-16 11:12 --------- d-----w C:\Program Files\Common Files\Real
2008-05-16 11:01 --------- dc----w C:\Documents and Settings\Owner\Application Data\Talkback
2008-05-16 10:19 --------- d-----w C:\Program Files\Real
2008-05-16 09:55 --------- d-----w C:\Program Files\LimeWire
2008-05-16 08:07 --------- d-----w C:\Program Files\Common Files\Control Panels
2008-05-15 12:20 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-15 10:52 --------- d-----w C:\Program Files\Retrospect
2008-05-15 10:46 339,968 ----a-w C:\WINDOWS\system32\WDBtnMgr.exe
2008-05-15 10:46 --------- d-----w C:\Program Files\Western Digital Technologies
2008-05-14 12:32 --------- dc----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-14 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\ALM
2008-05-14 12:18 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-05-13 10:52 --------- d-----w C:\Program Files\Oberon Media
2008-05-13 10:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-13 10:43 --------- d-----w C:\Program Files\Microsoft Works
2008-05-13 10:26 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-05-13 10:18 --------- dc----w C:\Documents and Settings\Owner\Application Data\EndNote
2008-05-13 10:10 --------- dc----w C:\Documents and Settings\Owner\Application Data\muvee Technologies
2008-05-13 10:10 --------- dc----w C:\Documents and Settings\All Users\Application Data\muvee Technologies
2008-05-13 08:35 --------- d-----w C:\Program Files\Google
2008-05-09 00:46 --------- d-----w C:\Program Files\Common Files\Risxtd
2008-05-09 00:41 --------- d-----w C:\Program Files\CyberLink
2008-05-09 00:38 --------- d-----w C:\Program Files\Ahead
2008-05-09 00:37 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-09 00:24 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-05-09 00:24 --------- d-----w C:\Program Files\Common Files\L&H
2008-05-09 00:21 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-09 00:16 --------- d-----w C:\Program Files\Synaptics
2008-05-09 00:16 --------- d-----w C:\Program Files\Sonic
2008-05-09 00:14 --------- d-----w C:\Program Files\NetWaiting
2008-05-09 00:14 --------- d-----w C:\Program Files\muvee Technologies
2008-05-09 00:13 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-09 00:13 --------- d-----w C:\Program Files\Intel
2008-05-09 00:12 --------- d-----w C:\Program Files\HPQ
2008-05-09 00:12 --------- d-----w C:\Program Files\HP
2008-05-09 00:12 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-09 00:12 --------- d-----w C:\Program Files\DivX
2008-05-09 00:12 --------- d-----w C:\Program Files\CONEXANT
2008-05-09 00:11 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-05-09 00:11 --------- d-----w C:\Program Files\Common Files\Java
2008-05-09 00:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-09 00:09 1,720 --sha-r C:\WINDOWS\system32\drivers\103C_HP_NTBK_Presario C300 (RU922PA#ABG)_YN_0Pres_QCND6490BCB_E433358371_46_I30C6_SHP_V78.08_BF.05_T060814_WXH2_L409_M1015_J60_7Intel_8Celeron M 430_91.73_#080509_N10EC8139_(RU922PA#ABG)_XMOBILE_CN10_Z_2F.05.MRK
2008-05-09 00:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-05-09 00:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\SBSI
2008-05-09 00:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-05-09 00:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\HP
2008-05-09 00:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-09 00:09 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2008-05-09 00:03 26,376 ----a-w C:\WINDOWS\system32\drivers\Vet-Filt.1
2008-05-09 00:03 21,128 ----a-w C:\WINDOWS\system32\drivers\Vet-Rec.1
2008-05-08 23:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-08 23:55 --------- dc----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-08 22:55 --------- dc----w C:\Documents and Settings\All Users\Application Data\CA
2008-05-08 22:55 --------- d-----w C:\Program Files\CA
2008-05-08 22:49 --------- d-----w C:\Program Files\Common Files\Deterministic Networks
2008-05-08 22:49 --------- d-----w C:\Program Files\Cisco Systems
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 12:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\dllcache\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll
.

((((((((((((((((((((((((((((( snapshot_2008-06-17_16.11.45.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-17 00:22:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-17 23:06:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-16 22:38:49 300,680 ------w C:\WINDOWS\system32\arclib.dll
+ 2008-06-17 22:35:47 300,680 ------w C:\WINDOWS\system32\arclib.dll
- 2008-06-16 22:38:51 95,472 ------w C:\WINDOWS\system32\avshlext.dll
+ 2008-06-17 22:35:50 95,472 ------w C:\WINDOWS\system32\avshlext.dll
- 2008-06-16 22:38:51 369,904 ------w C:\WINDOWS\system32\caav.exe
+ 2008-06-17 22:35:49 369,904 ------w C:\WINDOWS\system32\caav.exe
- 2008-06-16 22:38:51 152,816 ------w C:\WINDOWS\system32\caavcmdscan.exe
+ 2008-06-17 22:35:49 152,816 ------w C:\WINDOWS\system32\caavcmdscan.exe
- 2008-06-16 22:38:51 226,544 ------w C:\WINDOWS\system32\caavguiscan.exe
+ 2008-06-17 22:35:49 226,544 ------w C:\WINDOWS\system32\caavguiscan.exe
- 2008-06-16 22:38:52 201,968 ------w C:\WINDOWS\system32\caavimages.dll
+ 2008-06-17 22:35:50 201,968 ------w C:\WINDOWS\system32\caavimages.dll
- 2008-06-16 22:38:52 8,432 ------w C:\WINDOWS\system32\caavproduct.dll
+ 2008-06-17 22:35:50 8,432 ------w C:\WINDOWS\system32\caavproduct.dll
- 2008-06-16 22:38:52 79,088 ------w C:\WINDOWS\system32\caavresource.dll
+ 2008-06-17 22:35:50 79,088 ------w C:\WINDOWS\system32\caavresource.dll
- 2008-06-16 22:38:51 214,256 ------w C:\WINDOWS\system32\caavscan.dll
+ 2008-06-17 22:35:50 214,256 ------w C:\WINDOWS\system32\caavscan.dll
- 2008-06-16 22:38:51 398,576 ------w C:\WINDOWS\system32\cavrep.exe
+ 2008-06-17 22:35:49 398,576 ------w C:\WINDOWS\system32\cavrep.exe
- 2008-06-16 22:38:51 234,736 ------w C:\WINDOWS\system32\cavrid.exe
+ 2008-06-17 22:35:49 234,736 ------w C:\WINDOWS\system32\cavrid.exe
- 2008-05-09 00:04:48 262,144 ---ha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2008-06-17 21:58:13 262,144 ---ha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 2008-06-16 22:38:51 222,448 ------w C:\WINDOWS\system32\driverif.dll
+ 2008-06-17 22:35:50 222,448 ------w C:\WINDOWS\system32\driverif.dll
- 2008-06-16 22:38:52 91,376 ------w C:\WINDOWS\system32\isafprod.dll
+ 2008-06-17 22:35:50 91,376 ------w C:\WINDOWS\system32\isafprod.dll
- 2008-02-21 15:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-24 15:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-21 15:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-24 15:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-21 16:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-24 16:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-06-17 00:27:28 62,746 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-17 23:11:30 62,746 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-17 00:27:28 401,632 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-17 23:11:30 401,632 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-06-16 22:38:52 120,048 ------w C:\WINDOWS\system32\unvet32.exe
+ 2008-06-17 22:35:50 120,048 ------w C:\WINDOWS\system32\unvet32.exe
- 2008-06-16 22:38:51 251,120 ------w C:\WINDOWS\system32\vetmsg.exe
+ 2008-06-17 22:35:49 251,120 ------w C:\WINDOWS\system32\vetmsg.exe
- 2008-06-16 22:38:52 10,992 ------w C:\WINDOWS\system32\vetntmsg.dll
+ 2008-06-17 22:35:50 10,992 ------w C:\WINDOWS\system32\vetntmsg.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32131238-5434-4234-4234-432432423432}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91648AB6-FA55-44C5-A074-7F8D58FB77B6}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-23 20:34 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 10:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 15:58 458752]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 22:17 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 22:17 118784]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-03 01:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 02:27 1015808]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-06-23 16:43 102400]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 01:11 49152]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 17:21 135168]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 12:50 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 12:23 1187840]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-05-22 19:30 181512]
"WD Button Manager"="WDBtnMgr.exe" [2008-05-15 20:46 339968 C:\WINDOWS\system32\WDBtnMgr.exe]
"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe" [2006-09-11 17:32 9371648]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 02:29 102400]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [2008-03-05 00:00 468288]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2008-03-05 00:00 87360]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6173\SiteAdv.exe" [2007-08-29 06:07 36640]
"f8c175b6"="C:\WINDOWS\system32\viuvhjsw.dll" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Retrospect\\Retrospect Express HD 2.0\\Retrospect.exe"=
"C:\\Program Files\\Retrospect\\Retrospect Express HD 2.0\\retrorun.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=

R2 EngineServer;EngineServer;"C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe" [2007-12-01 11:30]
S4 myAgtSvc;McAfee Virus and Spyware Protection Service;"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /ServiceStart []

.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 03:17:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 10:03:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???H]??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-18 10:05:01
ComboFix-quarantined-files.txt 2008-06-18 00:04:56
ComboFix2.txt 2008-06-17 06:12:57
ComboFix3.txt 2008-06-16 23:37:43

Pre-Run: 16,770,256,896 bytes free
Post-Run: 16,765,227,008 bytes free

278 --- E O F --- 2008-06-11 04:36:59










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:09 AM, on 18/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {32131238-5434-4234-4234-432432423432} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {91648AB6-FA55-44C5-A074-7F8D58FB77B6} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe /h
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKLM\..\Run: [f8c175b6] rundll32.exe "C:\WINDOWS\system32\viuvhjsw.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=presario&pf=laptop
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8967 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users