Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtuemonde/vundo.gen!d


  • This topic is locked This topic is locked
7 replies to this topic

#1 Blacknote

Blacknote

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 17 June 2008 - 05:25 PM

I am getting pop-ups through Internet Explorer and Windows Defender tells me I have a virus (vundo.gen!d) but cannot remove it. Windows Defender says Microsoft needs more information about this software. C:\Windows\system32\ljJDUkiJ.dll. Then it encounters error 0x80501001. Please help!!!


Deckard's System Scanner v20071014.68
Run by Daniel Bellinger on 2008-06-17 16:55:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 2 Restore Point(s) --
2: 2008-06-17 21:00:49 UTC - RP86 - Windows Defender Checkpoint
1: 2008-06-17 20:49:10 UTC - RP84 - Windows Update


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 2.97 GiB (less than 15%) free.


-- HijackThis (run as Daniel Bellinger.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:57:52 PM, on 6/17/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Proxure\MCE Tunes Pro\MCETunesExtenderSupport.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\IRW.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\Program Files\Proxure\MCE Tunes Pro\ProxureQTHost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\taskmgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\Program Files\Safari\Safari.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Users\Daniel Bellinger\Downloads\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Daniel Bellinger.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {3430AE98-490B-48FD-9AEC-1FF5726887E6} - C:\Windows\system32\ljJDUkiJ.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IRW] C:\Windows\system32\IRW.exe
O4 - HKLM\..\Run: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"
O4 - HKLM\..\Run: [MDGetStarted.exe] "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto
O4 - HKLM\..\Run: [MCE Tunes Video Encoder] "C:\Program Files\Proxure\MCE Tunes Pro\EncService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [BM41be11f1] Rundll32.exe "C:\Windows\system32\jnhqrpwk.dll",s
O4 - HKLM\..\Run: [428d226d] rundll32.exe "C:\Windows\system32\ekljouaw.dll",b
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\RunOnce: [MCE Tunes Extender Support] "C:\Program Files\Proxure\MCE Tunes Pro\LaunchExtenderSupport.exe"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{F13E046A-79BD-4ED5-B42F-BEEE8B08D374}
O4 - HKCU\..\Run: [BM41be11f1] Rundll32.exe "C:\Windows\system32\jnhqrpwk.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - c:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\Windows\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\Windows\system32\AppleTimeSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - c:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - c:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MacDriveService - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8988 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 MDFSYSNT (MacDrive file system driver) - c:\windows\system32\drivers\mdfsysnt.sys <Not Verified; Mediafour Corporation; Mediafour MacDrive>
R0 MDPMGRNT - c:\windows\system32\drivers\mdpmgrnt.sys <Not Verified; Mediafour Corporation; Mediafour MacDrive>
R2 KeyAgent - \??\c:\windows\system32\drivers\keyagent.sys
R2 MacHALDriver (Mac HAL) - \??\c:\windows\system32\drivers\machaldriver.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 MacDriveService - "c:\program files\mediafour\macdrive 7\macdriveservice.exe" <Not Verified; Mediafour Corporation; Mediafour MacDrive>
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe
R2 PLFlash DeviceIoControl Service - c:\windows\system32\ioctlsvc.exe <Not Verified; Prolific Technology Inc.; IoctlSvc Application>

S2 RoxLiveShare9 (LiveShare P2P Server 9) - "c:\program files\common files\roxio shared\9.0\sharedcom\roxliveshare9.exe" (file missing)
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Bluetooth Peripheral Device
Device ID: BTHENUM\{426C6163-6B42-6572-7279-427970617373}_LOCALMFG&000A\7&7869F61&0&001CCCBB6672_C00000001
Manufacturer:
Name: Bluetooth Peripheral Device
PNP Device ID: BTHENUM\{426C6163-6B42-6572-7279-427970617373}_LOCALMFG&000A\7&7869F61&0&001CCCBB6672_C00000001
Service:

Class GUID:
Description: Bluetooth Peripheral Device
Device ID: BTHENUM\{426C6163-6B42-6572-7279-427970617373}_LOCALMFG&000A\7&7869F61&0&002106175B56_C00000000
Manufacturer:
Name: Bluetooth Peripheral Device
PNP Device ID: BTHENUM\{426C6163-6B42-6572-7279-427970617373}_LOCALMFG&000A\7&7869F61&0&002106175B56_C00000000
Service:

Class GUID:
Description: Bluetooth Peripheral Device
Device ID: BTHENUM\{426C6163-6B42-6572-7279-44736B746F70}_LOCALMFG&000A\7&7869F61&0&001CCCBB6672_C00000001
Manufacturer:
Name: Bluetooth Peripheral Device
PNP Device ID: BTHENUM\{426C6163-6B42-6572-7279-44736B746F70}_LOCALMFG&000A\7&7869F61&0&001CCCBB6672_C00000001
Service:

Class GUID:
Description: Bluetooth Peripheral Device
Device ID: BTHENUM\{426C6163-6B42-6572-7279-44736B746F70}_LOCALMFG&000A\7&7869F61&0&002106175B56_C00000000
Manufacturer:
Name: Bluetooth Peripheral Device
PNP Device ID: BTHENUM\{426C6163-6B42-6572-7279-44736B746F70}_LOCALMFG&000A\7&7869F61&0&002106175B56_C00000000
Service:

Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart C4380 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C4380 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-06-17 16:47:11 440 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{F13E046A-79BD-4ED5-B42F-BEEE8B08D374}.job


-- Files created between 2008-05-17 and 2008-06-17 -----------------------------

2008-06-17 15:37:14 0 d-------- C:\Program Files\Trend Micro
2008-06-17 15:13:56 95808 --a------ C:\Windows\system32\ekljouaw.dll
2008-06-17 15:13:35 104512 --a------ C:\Windows\system32\krpwkdlm.dll
2008-06-17 15:11:20 102976 --a------ C:\Windows\system32\jnhqrpwk.dll
2008-06-17 15:04:53 0 d-------- C:\Users\All Users\NVIDIA
2008-06-17 14:29:53 0 dr------- C:\Users\Daniel Bellinger\Music
2008-06-17 14:29:52 0 dr------- C:\Users\Daniel Bellinger\Pictures
2008-06-16 20:40:13 0 d-------- C:\Program Files\Boot Camp
2008-06-16 18:28:45 102654 --a------ C:\Users\All Users\BM41?
2008-06-15 22:13:26 0 d-------- C:\Users\All Users\Webroot
2008-06-15 22:13:26 0 d-------- C:\Program Files\Webroot
2008-06-15 12:21:07 0 d-------- C:\SiteAdvisor
2008-05-29 09:15:13 0 d-------- C:\Program Files\Common Files\Research In Motion
2008-05-28 17:29:21 0 d-------- C:\Program Files\Research In Motion
2008-05-28 09:13:41 0 d-------- C:\Users\All Users\LogiShrd
2008-05-28 09:09:41 0 d-------- C:\Users\All Users\Logitech
2008-05-28 09:09:33 0 d-------- C:\Program Files\Common Files\Logishrd
2008-05-28 09:09:29 0 d-------- C:\Program Files\Logitech
2008-05-26 05:01:03 0 d-------- C:\PerfLogs
2008-05-22 10:21:04 2624 --a------ C:\Windows\system32\jvrpjubt.exe


-- Find3M Report ---------------------------------------------------------------

2008-06-17 15:43:19 0 d-------- C:\Program Files\Common Files
2008-06-17 15:41:27 3501 --a------ C:\Windows\bthservsdp.dat
2008-06-17 15:13:58 686465 --ahs---- C:\Windows\system32\JikUDJjl.ini2
2008-06-17 15:05:14 28884 --a------ C:\Users\Daniel Bellinger\AppData\Roaming\nvModes.001
2008-06-17 14:29:55 6 --ahs---- C:\Users\Daniel Bellinger\AppData\Roaming\desktop.ini
2008-06-17 14:20:40 0 d-------- C:\Program Files\DIFX
2008-06-16 20:43:42 0 d-------- C:\Users\Daniel Bellinger\AppData\Roaming\uTorrent
2008-06-16 20:36:51 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-15 22:13:27 0 d-------- C:\Users\Daniel Bellinger\AppData\Roaming\Webroot
2008-06-15 21:49:40 0 d-------- C:\Program Files\Windows Mail
2008-05-28 17:32:50 256 --a------ C:\Windows\system32\pool.bin
2008-05-28 16:54:55 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-05-28 16:54:43 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-05-28 09:13:20 0 d-------- C:\Users\Daniel Bellinger\AppData\Roaming\Logitech
2008-05-28 09:09:17 0 d-------- C:\Users\Daniel Bellinger\AppData\Roaming\InstallShield
2008-05-28 08:36:54 174 --ahs---- C:\Program Files\desktop.ini
2008-05-26 05:07:30 0 d-------- C:\Program Files\Windows Calendar
2008-05-26 05:07:29 0 d-------- C:\Program Files\Windows Sidebar
2008-05-26 05:07:29 0 d-------- C:\Program Files\Movie Maker
2008-05-26 05:07:23 0 d-------- C:\Program Files\Windows Collaboration
2008-05-26 05:07:21 0 d-------- C:\Program Files\Windows Journal
2008-05-26 05:07:19 0 d-------- C:\Program Files\Windows Photo Gallery
2008-05-26 05:07:04 0 d-------- C:\Program Files\Windows Defender
2008-05-25 17:08:40 0 d-------- C:\Users\Daniel Bellinger\AppData\Roaming\Yahoo!
2008-05-22 10:15:48 28380 --a------ C:\Users\Daniel Bellinger\AppData\Roaming\nvModes.dat
2008-05-15 09:11:06 2112 --a------ C:\Windows\system32\ynbcbtjp.exe
2008-05-15 09:05:06 3648 --a------ C:\Windows\system32\urwlvegg.dll
2008-05-14 00:34:12 2112 --a------ C:\Windows\system32\ayysucvf.exe
2008-05-14 00:32:03 3648 --a------ C:\Windows\system32\wftmigmx.dll
2008-05-12 21:08:12 3648 --a------ C:\Windows\system32\yjcybtei.dll
2008-05-12 20:59:21 3648 --a------ C:\Windows\system32\pldaabky.dll
2008-05-12 12:36:35 0 d-------- C:\Program Files\Java
2008-05-05 15:32:41 0 d-------- C:\Users\Daniel Bellinger\AppData\Roaming\Adobe
2008-05-05 15:06:10 0 d-------- C:\Program Files\Common Files\Java
2008-05-05 14:06:44 0 d-------- C:\Program Files\Proxure
2008-05-03 23:30:57 191728 --ah----- C:\Windows\system32\mlfcache.dat
2008-04-26 12:43:40 345 --ahs---- C:\Windows\system32\ghikmnmp.ini2
2008-04-23 20:46:39 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-23 20:46:17 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-22 16:55:03 0 d-------- C:\Program Files\Safari
2008-04-21 22:16:00 226149 --a------ C:\Windows\hpqins13.dat
2008-04-21 22:07:02 0 d-------- C:\Users\Daniel Bellinger\AppData\Roaming\HP
2008-04-21 22:02:33 163816 --a------ C:\Windows\hpqins05.dat
2008-04-21 22:01:41 0 d-------- C:\Program Files\HP
2008-04-21 21:50:01 345 --ahs---- C:\Windows\system32\ihjPoUvw.ini2
2008-04-21 21:40:47 165222 --a------ C:\Windows\hpoins21.dat
2008-04-21 21:37:56 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-04-21 21:37:55 0 d-------- C:\Program Files\Hewlett-Packard
2008-04-21 21:36:20 0 d-------- C:\Program Files\Common Files\HP
2008-04-18 20:14:35 0 d-------- C:\Users\Daniel Bellinger\AppData\Roaming\acccore
2008-04-18 20:14:10 0 d-------- C:\Program Files\AIM6
2008-04-18 20:13:14 0 d-------- C:\Program Files\Common Files\AOL
2008-04-18 20:06:05 0 d-------- C:\Program Files\Yahoo!
2008-04-17 15:22:28 6454 --ahs---- C:\Windows\system32\xISsAJlm.ini2
2008-04-17 10:48:43 0 d-------- C:\Users\Daniel Bellinger\AppData\Roaming\Blackberry Desktop
2008-04-17 10:29:51 0 d-------- C:\Program Files\NeroInstall.bak
2008-04-17 10:23:36 0 d-------- C:\Users\Daniel Bellinger\AppData\Roaming\Nero
2008-04-17 10:19:00 0 d-------- C:\Program Files\Common Files\Nero
2008-04-17 10:12:19 0 d-------- C:\Program Files\Nero
2008-04-17 10:01:36 0 d-------- C:\Users\Daniel Bellinger\AppData\Roaming\Apple Computer
2008-04-17 09:38:38 0 d-------- C:\Program Files\iTunes
2008-04-17 09:37:55 0 d-------- C:\Program Files\iPod
2008-04-17 09:37:10 0 d-------- C:\Program Files\Bonjour
2008-04-17 09:36:41 0 d-------- C:\Program Files\QuickTime
2008-04-17 09:33:27 0 d-------- C:\Program Files\Apple Software Update
2008-04-17 09:31:03 0 d-------- C:\Program Files\Common Files\Apple
2008-04-17 09:25:45 0 d-------- C:\Program Files\MSXML 4.0
2008-04-17 09:21:52 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-17 09:15:16 273408 --a------ C:\Windows\system32\ljJDUkiJ.dll
2008-04-17 09:08:39 0 d-------- C:\Users\Daniel Bellinger\AppData\Roaming\Research In Motion
2008-04-17 09:06:08 0 d-------- C:\Program Files\Intel
2008-04-17 09:05:10 0 d-------- C:\Program Files\Motorola
2008-04-17 09:04:44 315392 --a------ C:\Windows\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-04-17 09:04:44 0 d-------- C:\Program Files\Realtek
2008-04-17 09:03:28 0 d-------- C:\Program Files\ATI
2008-04-17 09:01:08 0 d-------- C:\Program Files\Common Files\Mediafour
2008-04-17 08:59:25 0 d-------- C:\Users\Daniel Bellinger\AppData\Roaming\Identities
2008-04-17 06:01:38 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-17 05:27:50 0 d-------- C:\Program Files\BitLocker
2008-04-17 05:27:48 0 d-------- C:\Program Files\Microsoft Games
2008-04-17 05:21:26 0 d-------- C:\Users\Daniel Bellinger\AppData\Roaming\WinRAR
2008-04-17 05:09:37 0 d-------- C:\Program Files\uTorrent
2008-04-17 04:38:41 0 d-------- C:\Users\Daniel Bellinger\AppData\Roaming\TVU Networks
2008-04-17 04:38:33 0 d-------- C:\Program Files\TVUPlayer
2008-04-17 04:29:53 0 d-------- C:\Program Files\Microsoft Works
2008-04-17 04:29:36 0 d-------- C:\Program Files\MSBuild
2008-04-17 04:29:21 0 d-------- C:\Program Files\DVD Shrink
2008-04-17 04:28:11 0 d-------- C:\Program Files\Microsoft.NET
2008-04-17 04:27:33 0 d-------- C:\Users\Daniel Bellinger\AppData\Roaming\Macromedia
2008-04-17 04:25:13 0 d-------- C:\Program Files\Mediafour
2008-04-17 04:24:41 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-11 17:23:54 38400 --a------ C:\Windows\system32\SoundSchemes.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3430AE98-490B-48FD-9AEC-1FF5726887E6}]
04/17/2008 09:15 AM 273408 --a------ C:\Windows\system32\ljJDUkiJ.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 02:38 AM]
"RtHDVCpl"="RtHDVCpl.exe" [04/15/2008 03:36 PM C:\Windows\RtHDVCpl.exe]
"IRW"="C:\Windows\system32\IRW.exe" [04/15/2008 03:31 PM]
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe" [07/12/2007 10:57 AM]
"MDGetStarted.exe"="C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" [06/13/2007 01:23 PM]
"MCE Tunes Video Encoder"="C:\Program Files\Proxure\MCE Tunes Pro\EncService.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Skytel"="Skytel.exe" [04/15/2008 03:36 PM C:\Windows\SkyTel.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [02/29/2008 03:12 AM C:\Windows\KHALMNPR.Exe]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [04/15/2008 04:46 PM]
"BM41be11f1"="C:\Windows\system32\jnhqrpwk.dll" [06/17/2008 03:11 PM]
"428d226d"="C:\Windows\system32\ekljouaw.dll" [06/17/2008 03:13 PM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 02:33 AM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [01/19/2008 02:33 AM]
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/19/2008 02:33 AM]
"RunSpySweeperScheduleAtStartup"="C:\Windows\system32\msfeedssync.exe" [01/19/2008 02:33 AM]
"BM41be11f1"="C:\Windows\system32\jnhqrpwk.dll,s" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"MCE Tunes Extender Support"="C:\Program Files\Proxure\MCE Tunes Pro\LaunchExtenderSupport.exe"

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [5/28/2008 9:10:02 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\ljJDUkiJ

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
bthsvcs BthServ
GPSvcGroup GPSvc
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
HPService HPSLPSVC
hpdevmgmt hpqcxs08 hpqddsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration



-- End of Deckard's System Scanner: finished at 2008-06-17 17:00:59 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Ultimate (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU T7500 @ 2.20GHz
Percentage of Memory in Use: 50%
Physical Memory (total/avail): 2029.83 MiB / 1003.7 MiB
Pagefile Memory (total/avail): 4308.7 MiB / 2955.6 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1894.48 MiB

C: is Fixed (NTFS) - 25.6 GiB total, 2.97 GiB free.
D: is CDROM (No Media)
E: is Fixed (HFSJ) - 85.88 GiB total, 7.28 GiB free.
F: is Fixed (HFSXJ) - 96.77 GiB total, 1.22 GiB free.
G: is Fixed (HFSJ) - 200.87 GiB total, 166.21 GiB free.

\\.\PHYSICALDRIVE0 - FUJITSU MHY2120BH ATA Device - 111.79 GiB - 3 partitions
\PARTITION0 - Unknown - 200.02 MiB
\PARTITION1 - Installable File System - 85.88 GiB - E:
\PARTITION2 (bootable) - Installable File System - 25.6 GiB - C:

\\.\PHYSICALDRIVE1 - WD 3200AAV External USB Device - 298.09 GiB - 3 partitions
\PARTITION0 (bootable) - GPT: System - 200 MiB
\PARTITION1 - GPT: Basic Data - 96.77 GiB - F:
\PARTITION2 - GPT: Basic Data - 200.87 GiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: Spy Sweeper v5.5.7.124 (Webroot Software Inc)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Daniel Bellinger\AppData\Roaming
CLASSPATH=.;c:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DANIELS-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Daniel Bellinger
LOCALAPPDATA=C:\Users\Daniel Bellinger\AppData\Local
LOGONSERVER=\\DANIELS-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;c:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=c:\Program Files\QuickTime\QTSystem\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\DANIEL~1\AppData\Local\Temp
TMP=C:\Users\DANIEL~1\AppData\Local\Temp
USERDOMAIN=Daniels-PC
USERNAME=Daniel Bellinger
USERPROFILE=C:\Users\Daniel Bellinger
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Daniel Bellinger


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Windows\UNNeroBackItUp.exe /UNINSTALL
--> C:\Windows\UNNeroMediaHome.exe /UNINSTALL
--> C:\Windows\UNNeroShowTime.exe /UNINSTALL
--> C:\Windows\UNNeroVision.exe /UNINSTALL
--> C:\Windows\UNRecode.exe /UNINSTALL
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
32 Bit HP CIO Components Installer --> MsiExec.exe /I{09BDEEF0-5590-457D-89A9-5DB2742F9BBF}
Adobe Acrobat 8.1.0 Professional --> msiexec /I {AC76BA86-1033-F400-7760-000000000003}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
BlackBerry Desktop Software 4.3 --> MsiExec.exe /i{0D048BE8-AE02-4CB5-A428-616B9848E4A7}
BlackBerry Desktop Software 4.3 --> MsiExec.exe /I{0D048BE8-AE02-4CB5-A428-616B9848E4A7}
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Boot Camp Services --> MsiExec.exe /I{F0E45628-1218-4865-A516-8E8A54272ADC}
CDDRV_Installer --> MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A}
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Imaging Device Functions 10.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart All-In-One Driver Software 10.0 Rel .2 --> C:\Program Files\HP\Digital Imaging\{20B30DC1-E423-4939-B51D-05C58B0F9BBB}\setup\hpzscr01.exe -datfile hposcr21.dat -onestop
HP Photosmart Essential 2.5 --> C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat
HP Solution Center 10.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
KhalInstallWrapper --> MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355}
Logitech SetPoint --> C:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe -runfromtemp -l0x0009 -removeonly
MacDrive 7 --> MsiExec.exe /X{E22390D3-E409-4F72-9326-C71A151EA6EF}
MCE Tunes Pro --> MsiExec.exe /I{DE46FEE3-4D5F-446F-ACEC-89E3ED081293}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISER /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{91120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
Nero 8 --> MsiExec.exe /X{BE282C23-5484-47FF-B2C1-EBEA5C891033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Safari --> MsiExec.exe /X{40589552-3892-409E-B92C-9F5032A4B2F0}
Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Visio 2007 (KB947590) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
TVUPlayer 2.3.6.1 --> C:\Program Files\TVUPlayer\uninst.exe
Update for Office 2007 (KB946691) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
Windows Driver Package - Apple Inc. (applebt) Bluetooth (04/06/2008 2.1.0.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\applebt.inf_0d0c11d2\applebt.inf
Windows Driver Package - Apple Inc. (applebt) Bluetooth (06/27/2007 2.0.0.1) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\applebt.inf_a011b38f\applebt.inf
Windows Driver Package - Apple Inc. (AppleUSBEthernet) Net (01/11/2008 3.4.3.18) --> C:\PROGRA~1\DIFX\270581355A767BF1\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\appleusbethernet.inf_3f4e4a09\appleusbethernet.inf
Windows Driver Package - Apple Inc. Apple Bluetooth Enabler (06/27/2007 2.0.0.1) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\bthkicker.inf_3abc187b\bthkicker.inf
Windows Driver Package - Apple Inc. Apple Built-in iSight (04/09/2007 1.3.0.0) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\isight.inf_5bb1ef2c\isight.inf
Windows Driver Package - Apple Inc. Apple Built-in iSight (10/25/2007 2.0.1.0) --> C:\PROGRA~1\DIFX\270581355A767BF1\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\isight.inf_d6d5d8e0\isight.inf
Windows Driver Package - Apple Inc. Apple Display (12/19/2007 2.0.2.0) --> C:\PROGRA~1\DIFX\270581355A767BF1\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\aaplmonf.inf_bd8dd30e\aaplmonf.inf
Windows Driver Package - Apple Inc. Apple IR Receiver (07/16/2007 2.0.0.1) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\irfilter.inf_573cf2c1\irfilter.inf
Windows Driver Package - Apple Inc. Apple IR Receiver (11/01/2007 2.0.1.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\irfilter.inf_b4b2b4fa\irfilter.inf
Windows Driver Package - Apple Inc. Apple Keyboard (03/10/2008 2.1.0.0) --> C:\PROGRA~1\DIFX\270581355A767BF1\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\keymagic.inf_4d2e754d\keymagic.inf
Windows Driver Package - Apple Inc. Apple Keyboard (08/30/2007 2.0.1.4) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\keymagic.inf_c8736569\keymagic.inf
Windows Driver Package - Apple Inc. Apple Multitouch (12/18/2007 2.0.1.10) --> C:\PROGRA~1\DIFX\270581355A767BF1\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\applemtp.inf_cf032cb3\applemtp.inf
Windows Driver Package - Apple Inc. Apple Multitouch Mouse (12/18/2007 2.0.1.10) --> C:\PROGRA~1\DIFX\270581355A767BF1\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\applemtm.inf_70b57715\applemtm.inf
Windows Driver Package - Apple Inc. Apple Trackpad (08/28/2007 2.0.1.4) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\aapltp.inf_051788be\aapltp.inf
Windows Driver Package - Apple Inc. Apple Trackpad Enabler (08/28/2007 2.0.1.4) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\aapltctp.inf_5bad8cf5\aapltctp.inf
Windows Driver Package - Apple Inc. System (06/21/2007 2.0.0.0) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\applenull.inf_43895423\applenull.inf
Windows Driver Package - Apple Inc. System (09/12/2007 2.0.1.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\applenull.inf_e4ca739b\applenull.inf
Windows Driver Package - Atheros Communications Inc. (athr) Net (04/15/2007 7.2.0.204) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\netathr.inf_f491033d\netathr.inf
Windows Driver Package - Atheros Communications Inc. Net (04/15/2007 7.2.0.204) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\netathrx.inf_884c54a9\netathrx.inf
Windows Driver Package - Broadcom (BCM43XX) Net (09/20/2007 4.170.25.12) --> C:\PROGRA~1\DIFX\270581355A767BF1\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\bcmwl6.inf_2109db73\bcmwl6.inf
Windows Driver Package - Marvell (yukonwlh) Net (03/23/2007 10.12.7.3) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\yk60x86.inf_ef72f305\yk60x86.inf
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows Sound Schemes --> RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\UltSound.inf,Uninstall
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type3217 / Error
Event Submitted/Written: 06/17/2008 04:00:42 PM
Event ID/Source: 8194 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {203ddaab-497c-4abd-b661-9d8932d82ad6}

Event Record #/Type3203 / Success
Event Submitted/Written: 06/17/2008 03:43:27 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type3202 / Success
Event Submitted/Written: 06/17/2008 03:43:24 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type3198 / Success
Event Submitted/Written: 06/17/2008 03:43:02 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type3188 / Warning
Event Submitted/Written: 06/17/2008 03:41:18 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2224152763-3349535448-1655154724-1000_Classes:
Process 1048 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2224152763-3349535448-1655154724-1000_CLASSES



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type26187 / Warning
Event Submitted/Written: 06/17/2008 04:58:13 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Daniels-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Daniels-PC27 can't undo changes that you allow.

For more information please see the following:
%Daniels-PC275

Scan ID: {A4668390-395B-4E65-B483-6AE2A3AD52EC}

User: Daniels-PC\Daniel Bellinger

Name: %Daniels-PC271

ID: %Daniels-PC272

Severity ID: %Daniels-PC273

Category ID: %Daniels-PC274

Path Found: %Daniels-PC276

Alert Type: %Daniels-PC278

Detection Type: 1.1.1600.02

Event Record #/Type26186 / Warning
Event Submitted/Written: 06/17/2008 04:58:13 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Daniels-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Daniels-PC27 can't undo changes that you allow.

For more information please see the following:
%Daniels-PC275

Scan ID: {D19AB479-6B0C-4E03-86CB-8D5C1A01CD56}

User: Daniels-PC\Daniel Bellinger

Name: %Daniels-PC271

ID: %Daniels-PC272

Severity ID: %Daniels-PC273

Category ID: %Daniels-PC274

Path Found: %Daniels-PC276

Alert Type: %Daniels-PC278

Detection Type: 1.1.1600.02

Event Record #/Type26185 / Warning
Event Submitted/Written: 06/17/2008 04:58:12 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Daniels-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Daniels-PC27 can't undo changes that you allow.

For more information please see the following:
%Daniels-PC275

Scan ID: {4217259A-9CDA-4085-94F7-52B7D4823D4D}

User: Daniels-PC\Daniel Bellinger

Name: %Daniels-PC271

ID: %Daniels-PC272

Severity ID: %Daniels-PC273

Category ID: %Daniels-PC274

Path Found: %Daniels-PC276

Alert Type: %Daniels-PC278

Detection Type: 1.1.1600.02

Event Record #/Type26184 / Warning
Event Submitted/Written: 06/17/2008 04:58:12 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Daniels-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Daniels-PC27 can't undo changes that you allow.

For more information please see the following:
%Daniels-PC275

Scan ID: {74EC96B4-69AD-41D6-806E-7F91FD813052}

User: Daniels-PC\Daniel Bellinger

Name: %Daniels-PC271

ID: %Daniels-PC272

Severity ID: %Daniels-PC273

Category ID: %Daniels-PC274

Path Found: %Daniels-PC276

Alert Type: %Daniels-PC278

Detection Type: 1.1.1600.02

Event Record #/Type26183 / Warning
Event Submitted/Written: 06/17/2008 04:58:10 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Daniels-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Daniels-PC27 can't undo changes that you allow.

For more information please see the following:
%Daniels-PC275

Scan ID: {BC24BF7C-D5D2-425A-B2B4-3C027BE3CADF}

User: Daniels-PC\Daniel Bellinger

Name: %Daniels-PC271

ID: %Daniels-PC272

Severity ID: %Daniels-PC273

Category ID: %Daniels-PC274

Path Found: %Daniels-PC276

Alert Type: %Daniels-PC278

Detection Type: 1.1.1600.02



-- End of Deckard's System Scanner: finished at 2008-06-17 17:00:59 ------------

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:15 PM

Posted 19 June 2008 - 08:23 AM

Hello Blacknote and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Blacknote

Blacknote
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 19 June 2008 - 10:02 AM

I ran the Anti-Malware software and it found about 30 files. 2 could not be removed, so I restarted. When I restarted, MBAM stopped working. I uninstalled my spyware software and restarted again. Now, I figured I should run MBAM just to make sure it did what it needed to do in the restart, but it is logging A LOT of items as infected. Namely most of my fonts and other files. Is this normal? What should I do? Let it run its course? Thanks for your help!!!

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:15 PM

Posted 19 June 2008 - 04:19 PM

Hello Blacknote,

If you're in doubt, then DO NOT click Remove Selected when the scan is completed,
but post the contents of the log here first, so i can check it. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Blacknote

Blacknote
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 19 June 2008 - 04:52 PM

I think I figured it out. Here is what I have now:


Malwarebytes' Anti-Malware 1.17
Database version: 869

4:04:53 PM 6/19/2008
mbam-log-6-19-2008 (16-04-49).txt

Scan type: Quick Scan
Objects scanned: 37645
Time elapsed: 4 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 13
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\gfhrtdcy.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\ljJDUkiJ.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\bgjhjoou.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{744a51dd-fde4-417c-b8ab-349d8dade3ea} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{744a51dd-fde4-417c-b8ab-349d8dade3ea} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{9a4b5e49-7784-46b6-9d6a-2411263c7b86} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9a4b5e49-7784-46b6-9d6a-2411263c7b86} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{666a4aa1-0012-4c5d-a6d9-2b0dca346f4d} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{7b30f6ef-9ccc-46c8-bcaa-a03100895d3d} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\428d226d (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{c3e15dfe-d990-4c3f-9be2-4cf4e3e007ce} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM41be11f1 (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ljjdukij -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ljjdukij -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\ekljouaw.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\wauojlke.ini (Trojan.Vundo) -> No action taken.
C:\Windows\System32\gfhrtdcy.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\ycdtrhfg.ini (Trojan.Vundo) -> No action taken.
C:\Windows\System32\ljJDUkiJ.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\JikUDJjl.ini (Trojan.Vundo) -> No action taken.
C:\Windows\System32\JikUDJjl.ini2 (Trojan.Vundo) -> No action taken.
C:\Windows\System32\bgjhjoou.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\krpwkdlm.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\pldaabky.dll (Trojan.AVKiller) -> No action taken.
C:\Windows\System32\urwlvegg.dll (Trojan.AVKiller) -> No action taken.
C:\Windows\System32\wftmigmx.dll (Trojan.AVKiller) -> No action taken.
C:\Windows\System32\ybthsgml.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\yjcybtei.dll (Trojan.AVKiller) -> No action taken.
C:\Windows\System32\gpuaywcd.dll (Trojan.Agent) -> No action taken.
C:\Windows\System32\clkcnt.txt (Trojan.Vundo) -> No action taken.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:51:31 PM, on 6/19/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Proxure\MCE Tunes Pro\MCETunesExtenderSupport.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\IRW.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Proxure\MCE Tunes Pro\ProxureQTHost.exe
C:\Windows\System32\mobsync.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IRW] C:\Windows\system32\IRW.exe
O4 - HKLM\..\Run: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"
O4 - HKLM\..\Run: [MDGetStarted.exe] "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto
O4 - HKLM\..\Run: [MCE Tunes Video Encoder] "C:\Program Files\Proxure\MCE Tunes Pro\EncService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\RunOnce: [MCE Tunes Extender Support] "C:\Program Files\Proxure\MCE Tunes Pro\LaunchExtenderSupport.exe"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{F13E046A-79BD-4ED5-B42F-BEEE8B08D374}
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - c:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\Windows\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\Windows\system32\AppleTimeSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - c:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - c:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MacDriveService - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 8092 bytes





ComboFix 08-06-19.1 - Daniel Bellinger 2008-06-19 16:31:21.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1310 [GMT -5:00]
Running from: C:\Users\Daniel Bellinger\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\adwcgtni.dll
C:\Windows\system32\ayysucvf.exe
C:\Windows\system32\bgjhjoou.dll
C:\Windows\system32\bjipaqfh.ini
C:\Windows\System32\dkvejgeb.ini
C:\Windows\system32\gdsbvkcv.dll
C:\Windows\system32\gfhrtdcy.dll
C:\Windows\System32\ghikmnmp.ini
C:\Windows\System32\ghikmnmp.ini2
C:\Windows\system32\gpuaywcd.dll
C:\Windows\System32\hlrgvxlm.ini
C:\Windows\System32\ihjPoUvw.ini
C:\Windows\System32\ihjPoUvw.ini2
C:\Windows\System32\JikUDJjl.ini
C:\Windows\system32\jnhqrpwk.dll
C:\Windows\system32\jvrpjubt.exe
C:\Windows\system32\kvcyxfux.ini
C:\Windows\system32\kwjigice.ini
C:\Windows\system32\ljJDUkiJ.dll
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\pqpetjwj.ini
C:\Windows\system32\rgrtbbpr.ini
C:\Windows\system32\rkbcogut.ini
C:\Windows\system32\ssddagmx.ini
C:\Windows\system32\wtnkipnj.ini
C:\Windows\System32\xISsAJlm.ini
C:\Windows\System32\xISsAJlm.ini2
C:\Windows\system32\ynbcbtjp.exe
C:\Windows\system32\yuskmfno.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-19 to 2008-06-19 )))))))))))))))))))))))))))))))
.

2008-06-19 21:49 . 2008-01-19 02:45 333,203 -rahs---- C:\bootmgr
2008-06-19 15:59 . 2008-06-10 19:02 34,296 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-06-19 15:59 . 2008-06-10 19:02 15,864 --a------ C:\Windows\System32\drivers\mbam.sys
2008-06-19 09:15 . 2008-06-19 09:15 <DIR> d-------- C:\Users\Daniel Bellinger\AppData\Roaming\Malwarebytes
2008-06-19 09:14 . 2008-06-19 09:14 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-06-19 09:14 . 2008-06-19 09:14 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-06-19 09:14 . 2008-06-19 15:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-18 16:07 . 2007-03-23 04:05 29,272 -ra------ C:\Windows\System32\AdobePDF.dll
2008-06-18 15:46 . 2008-06-18 15:46 <DIR> d-------- C:\Users\Daniel Bellinger\AppData\Roaming\PCF-VLC
2008-06-18 15:42 . 2008-06-18 15:42 <DIR> d-------- C:\Users\Daniel Bellinger\AppData\Roaming\Participatory Culture Foundation
2008-06-18 15:40 . 2008-06-18 15:40 <DIR> d-------- C:\Program Files\Participatory Culture Foundation
2008-06-18 10:26 . 2008-06-18 10:26 0 --a------ C:\Windows\nsreg.dat
2008-06-17 16:55 . 2008-06-17 16:55 <DIR> d-------- C:\Deckard
2008-06-17 15:37 . 2008-06-17 15:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-17 15:04 . 2008-06-17 15:05 <DIR> d-------- C:\Users\All Users\NVIDIA
2008-06-17 15:04 . 2008-06-17 15:05 <DIR> d-------- C:\ProgramData\NVIDIA
2008-06-17 14:48 . 2008-04-15 15:30 19,968 --a------ C:\Windows\System32\drivers\KeyMagic.sys
2008-06-17 14:47 . 2008-04-15 15:31 16,512 --a------ C:\Windows\System32\drivers\IRFilter.sys
2008-06-17 14:46 . 2008-04-15 15:36 553 --a------ C:\Windows\USetup.iss
2008-06-17 14:41 . 2008-04-15 15:36 4,706,304 --a------ C:\Windows\RtHDVCpl.exe
2008-06-17 14:41 . 2008-04-15 15:36 2,016,920 --a------ C:\Windows\System32\drivers\RTKVHDA.sys
2008-06-17 14:41 . 2008-04-15 15:36 1,826,816 --a------ C:\Windows\SkyTel.exe
2008-06-17 14:41 . 2008-04-15 15:36 1,191,936 --a------ C:\Windows\RtlUpd.exe
2008-06-17 14:41 . 2008-04-15 15:36 582,656 --a------ C:\Windows\System32\RtkPgExt.dll
2008-06-17 14:41 . 2008-04-15 15:36 532,480 --a------ C:\Windows\System32\RTSndMgr.cpl
2008-06-17 14:37 . 2008-04-15 15:35 1,079,840 --a------ C:\Windows\System32\nvcpluir.dll
2008-06-17 14:37 . 2008-04-15 15:35 760,352 --a------ C:\Windows\System32\nvcplui.exe
2008-06-17 14:37 . 2008-04-15 15:35 420,384 --a------ C:\Windows\System32\nvcpl.cpl
2008-06-17 14:37 . 2008-04-15 15:35 313,888 --a------ C:\Windows\System32\nvexpbar.dll
2008-06-17 14:30 . 2008-01-24 14:37 360,448 --a------ C:\Windows\System32\NVUNINST.EXE
2008-06-17 14:29 . 2008-06-17 14:29 <DIR> dr------- C:\Users\Daniel Bellinger\Pictures
2008-06-17 14:29 . 2008-06-17 14:29 <DIR> dr------- C:\Users\Daniel Bellinger\Music
2008-06-17 14:20 . 2008-04-15 15:29 9,088 --a------ C:\Windows\System32\drivers\applebt.sys
2008-06-16 20:40 . 2008-06-17 14:52 <DIR> d-------- C:\Program Files\Boot Camp
2008-06-15 22:04 . 2008-06-15 22:04 0 --ah----- C:\Users\Default.LOG2
2008-06-15 22:04 . 2008-06-15 22:04 0 --ah----- C:\Users\Default.LOG1
2008-06-15 22:04 . 2008-06-15 22:04 0 --ah----- C:\ProgramData.LOG2
2008-06-15 22:04 . 2008-06-15 22:04 0 --ah----- C:\ProgramData.LOG1
2008-06-15 12:21 . 2008-06-15 12:21 <DIR> d-------- C:\SiteAdvisor
2008-06-15 12:07 . 2008-04-22 23:42 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-06-15 12:07 . 2008-04-22 23:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-06-15 12:07 . 2008-04-22 23:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-15 12:07 . 2008-04-22 23:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-15 12:05 . 2008-04-26 03:08 1,314,816 --a------ C:\Windows\System32\quartz.dll
2008-06-15 12:05 . 2008-04-24 23:35 826,880 --a------ C:\Windows\System32\wininet.dll
2008-06-15 12:05 . 2008-04-28 20:42 220,160 --a------ C:\Windows\System32\drivers\bthport.sys
2008-06-15 12:05 . 2008-04-28 22:54 181,760 --a------ C:\Windows\System32\fsquirt.exe
2008-06-15 12:05 . 2008-05-09 20:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-06-15 12:05 . 2008-04-28 20:42 29,184 --a------ C:\Windows\System32\drivers\BTHUSB.SYS
2008-06-15 12:04 . 2008-04-24 21:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-05-29 09:15 . 2008-05-29 09:15 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-05-28 17:29 . 2008-05-28 17:29 <DIR> d-------- C:\Program Files\Research In Motion
2008-05-28 16:50 . 2008-05-28 16:50 <DIR> dr------- C:\Windows\System32\config\systemprofile\Videos
2008-05-28 16:50 . 2008-05-28 16:50 <DIR> dr------- C:\Windows\System32\config\systemprofile\Searches
2008-05-28 16:50 . 2008-05-28 16:50 <DIR> dr------- C:\Windows\System32\config\systemprofile\Saved Games
2008-05-28 16:50 . 2008-05-28 16:50 <DIR> dr------- C:\Windows\System32\config\systemprofile\Pictures
2008-05-28 16:50 . 2008-05-28 16:50 <DIR> dr------- C:\Windows\System32\config\systemprofile\Music
2008-05-28 16:50 . 2008-05-28 16:50 <DIR> dr------- C:\Windows\System32\config\systemprofile\Links
2008-05-28 16:50 . 2008-05-28 16:50 <DIR> dr------- C:\Windows\System32\config\systemprofile\Downloads
2008-05-28 16:50 . 2008-05-28 16:50 <DIR> dr------- C:\Windows\System32\config\systemprofile\Documents
2008-05-28 16:33 . 2008-05-28 16:33 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-05-28 09:13 . 2008-05-28 09:13 <DIR> d-------- C:\Users\Daniel Bellinger\AppData\Roaming\Logitech
2008-05-28 09:13 . 2008-05-28 09:13 <DIR> d-------- C:\Users\All Users\LogiShrd
2008-05-28 09:13 . 2008-05-28 09:13 <DIR> d-------- C:\ProgramData\LogiShrd
2008-05-28 09:11 . 2008-05-28 09:11 0 --ah----- C:\Windows\System32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-05-28 09:10 . 2008-05-02 02:38 301,656 --a------ C:\Windows\System32\BtCoreIf.dll
2008-05-28 09:10 . 2008-05-02 02:39 170,512 --a------ C:\Windows\System32\kemutb.dll
2008-05-28 09:10 . 2008-05-02 02:39 145,936 --a------ C:\Windows\System32\KemUtil.dll
2008-05-28 09:10 . 2008-05-02 02:40 117,264 --a------ C:\Windows\System32\KemWnd.dll
2008-05-28 09:10 . 2008-05-02 02:40 84,496 --a------ C:\Windows\System32\KemXML.dll
2008-05-28 09:09 . 2008-05-28 09:09 <DIR> d-------- C:\Users\Daniel Bellinger\AppData\Roaming\InstallShield
2008-05-28 09:09 . 2008-05-28 09:13 <DIR> d-------- C:\Users\All Users\Logitech
2008-05-28 09:09 . 2008-05-28 09:13 <DIR> d-------- C:\ProgramData\Logitech
2008-05-28 09:09 . 2008-05-28 09:09 <DIR> d-------- C:\Program Files\Logitech
2008-05-28 09:09 . 2008-05-28 09:10 <DIR> d-------- C:\Program Files\Common Files\Logishrd
2008-05-28 08:47 . 2008-03-07 21:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-28 08:47 . 2008-03-07 23:21 1,695,744 --a------ C:\Windows\System32\gameux.dll
2008-05-26 05:01 . 2008-05-26 05:01 <DIR> d-------- C:\PerfLogs
2008-05-26 02:50 . 2008-01-19 02:33 2,623,488 --a------ C:\Windows\System32\SLsvc.exe
2008-05-26 02:50 . 2008-01-19 02:36 1,541,120 --a------ C:\Windows\System32\onex.dll
2008-05-26 02:47 . 2008-01-18 22:12 3,662,296 --a------ C:\Windows\System32\locale.nls
2008-05-26 02:46 . 2008-01-19 02:35 4,875,776 --a------ C:\Windows\System32\NlsData0009.dll
2008-05-26 02:45 . 2008-01-19 02:35 2,643,456 --a------ C:\Windows\System32\NlsData000c.dll
2008-05-26 02:44 . 2008-01-19 02:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll
2008-05-26 02:43 . 2008-01-19 02:35 3,072,000 --a------ C:\Windows\System32\networkmap.dll
2008-05-26 02:42 . 2008-01-19 02:36 2,588,160 --a------ C:\Windows\System32\UIHub.dll
2008-05-26 02:41 . 2008-01-19 02:32 5,714,432 --a------ C:\Windows\System32\logon.scr
2008-05-26 02:40 . 2008-01-19 02:34 6,103,040 --a------ C:\Windows\System32\chtbrkr.dll
2008-05-26 02:39 . 2008-01-19 01:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-05-26 02:38 . 2008-01-19 02:33 599,552 --a------ C:\Windows\System32\vsp1cln.exe
2008-05-26 02:38 . 2008-01-05 06:31 145,455 --a------ C:\Windows\System32\perfmon.msc
2008-05-26 02:38 . 2008-01-05 06:31 3 --a------ C:\Windows\System32\drivers\MsftWdf_Kernel_01007_Inbox_Critical.Wdf
2008-05-26 02:37 . 2008-01-19 02:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll
2008-05-26 02:37 . 2008-01-19 02:36 357,888 --a------ C:\Windows\System32\wbemcomn.dll
2008-05-26 02:37 . 2008-01-19 02:36 139,264 --a------ C:\Windows\System32\SmiInstaller.dll
2008-05-26 02:36 . 2008-01-19 02:34 305,152 --a------ C:\Windows\System32\msdelta.dll
2008-05-26 02:36 . 2008-01-19 02:34 258,560 --a------ C:\Windows\System32\dpx.dll
2008-05-26 02:36 . 2008-01-19 02:34 246,784 --a------ C:\Windows\System32\drvstore.dll
2008-05-26 02:36 . 2008-01-19 02:36 218,624 --a------ C:\Windows\System32\wdscore.dll
2008-05-26 02:36 . 2008-01-19 02:33 130,560 --a------ C:\Windows\System32\PkgMgr.exe
2008-05-26 02:36 . 2008-01-19 02:35 35,328 --a------ C:\Windows\System32\mspatcha.dll
2008-05-26 01:03 . 2008-06-15 12:30 129 --a------ C:\Windows\System32\MRT.INI
2008-05-25 17:08 . 2008-05-25 17:08 <DIR> d-------- C:\Users\Daniel Bellinger\AppData\Roaming\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 04:26 --------- d-----w C:\ProgramData\FLEXnet
2008-06-18 17:33 --------- d-----w C:\ProgramData\DVD Shrink
2008-06-18 17:04 --------- d-----w C:\Users\Daniel Bellinger\AppData\Roaming\uTorrent
2008-06-17 20:43 --------- d-----w C:\ProgramData\McAfee
2008-06-17 20:35 --------- d-----w C:\ProgramData\SiteAdvisor
2008-06-17 19:41 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-06-17 19:20 --------- d-----w C:\Program Files\DIFX
2008-06-17 01:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-16 02:49 --------- d-----w C:\Program Files\Windows Mail
2008-05-28 21:54 --------- d-----w C:\ProgramData\Roxio
2008-05-28 21:54 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-05-28 21:54 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2008-05-28 13:36 174 --sha-w C:\Program Files\desktop.ini
2008-05-26 10:07 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-26 10:07 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-05-26 10:07 --------- d-----w C:\Program Files\Windows Journal
2008-05-26 10:07 --------- d-----w C:\Program Files\Windows Defender
2008-05-26 10:07 --------- d-----w C:\Program Files\Windows Collaboration
2008-05-26 10:07 --------- d-----w C:\Program Files\Windows Calendar
2008-05-26 06:06 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-26 02:07 --------- d-----w C:\ProgramData\Viewpoint
2008-05-12 17:36 --------- d-----w C:\Program Files\Java
2008-05-07 14:55 767,488 ----a-w C:\Windows\system32\drivers\athr.sys
2008-05-05 20:06 --------- d-----w C:\Program Files\Common Files\Java
2008-05-05 19:28 --------- d-----w C:\ProgramData\Proxure
2008-05-05 19:06 --------- d-----w C:\Program Files\Proxure
2008-04-24 01:46 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-04-24 01:46 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-22 21:55 --------- d-----w C:\Program Files\Safari
2008-04-22 03:07 --------- d-----w C:\Users\Daniel Bellinger\AppData\Roaming\HP
2008-04-22 03:01 --------- d-----w C:\ProgramData\HP Product Assistant
2008-04-22 03:01 --------- d-----w C:\ProgramData\HP
2008-04-22 03:01 --------- d-----w C:\Program Files\HP
2008-04-22 02:37 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-22 02:37 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-04-22 02:36 --------- d-----w C:\Program Files\Common Files\HP
2008-04-22 02:34 --------- d-----w C:\ProgramData\Hewlett-Packard
2008-04-19 01:15 --------- d-----w C:\ProgramData\AOL OCP
2008-04-19 01:14 --------- d-----w C:\Users\Daniel Bellinger\AppData\Roaming\acccore
2008-04-19 01:14 --------- d-----w C:\Program Files\AIM6
2008-04-19 01:13 --------- d-----w C:\ProgramData\AOL
2008-04-19 01:13 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-19 01:07 --------- d-----w C:\ProgramData\Yahoo!
2008-04-19 01:06 --------- d-----w C:\Program Files\Yahoo!
2008-04-17 14:04 315,392 ----a-w C:\Windows\HideWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{FD8348AB-D74A-4C76-B2FE-926FF6D7CC40}]
@=MacDrive Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 02:33 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 02:33 125952]
"Aim6"="" []
"RunSpySweeperScheduleAtStartup"="C:\Windows\system32\msfeedssync.exe" [2008-01-19 02:33 12800]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 02:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-15 15:36 4706304 C:\Windows\RtHDVCpl.exe]
"IRW"="C:\Windows\system32\IRW.exe" [2008-04-15 15:31 147456]
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe" [2007-07-12 10:57 179288]
"MDGetStarted.exe"="C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-06-13 13:23 139264]
"MCE Tunes Video Encoder"="C:\Program Files\Proxure\MCE Tunes Pro\EncService.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 03:12 76304 C:\Windows\KHALMNPR.Exe]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2008-04-15 16:46 423216]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"MCE Tunes Extender Support"="C:\Program Files\Proxure\MCE Tunes Pro\LaunchExtenderSupport.exe" [2008-03-13 17:41 50432]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-05-28 09:10:02 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2224152763-3349535448-1655154724-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{90F01749-F82C-42CB-A8DA-3BA4DC6FAD7B}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{150A4CB1-1641-46D5-89D2-916E5ADF3C48}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{71A2839F-AD4A-4272-864D-8CE14164E5A5}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{145A9FCD-6E50-4E4F-862A-F90966E904EA}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{694639C5-DC43-4F5C-9D31-A1AA787C6453}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{FB25BE10-111D-4BD6-9514-142E7D6E2D34}C:\\program files\\tvuplayer\\tvuplayer.exe"= UDP:C:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component
"UDP Query User{11575A82-DAB6-4AD3-8EE6-0E7C1498E8BD}C:\\program files\\tvuplayer\\tvuplayer.exe"= TCP:C:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component
"TCP Query User{92D58808-D38B-4888-854A-3700C955A469}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{8CC31756-FF13-45B1-AB2A-7A3F0C3988E1}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{481A679F-E77B-470A-877A-C14BCAECECA3}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{64F52DA0-6307-490C-B105-509A143605D3}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{70E776A9-D0CC-4DF7-9823-091405573B14}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{F8EFF421-CACE-44FB-9E07-B5F1930BC5C3}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{6B2DAF3C-A44E-4EC3-8CBD-1454CD529FF5}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{A370EA00-FBFB-4F2A-AA5F-01414772367D}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{056CD39F-506F-46AA-9580-00581C1871E9}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{062308FB-C0BF-4E7E-B038-C9D49C171BBD}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{B2D83DB6-A2D7-462D-B6E5-25408013BB71}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{E718EFE2-B018-4DB3-A205-0084E61E6D4C}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{12FB57FC-3619-44D4-B3F9-7316EB4C4B16}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{79DFC62D-FEA1-4E19-8423-9A81E88AC9AA}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"{5941ADA1-0A82-431C-823F-41F10307B2E9}"= Disabled:UDP:C:\Users\Daniel Bellinger\AppData\Local\Temp\7zS5EF2.tmp\setup\HPZnui01.exe:hpznui01.exe
"{C3C92F6E-C263-43B3-8758-9C13081CFBD5}"= Disabled:TCP:C:\Users\Daniel Bellinger\AppData\Local\Temp\7zS5EF2.tmp\setup\HPZnui01.exe:hpznui01.exe
"{E327DDA2-C959-4C71-B055-1F6EA68BAE58}"= Disabled:UDP:C:\Users\Daniel Bellinger\AppData\Local\Temp\7zSEC41.tmp\setup\HPZnui01.exe:hpznui01.exe
"{59F752B0-9CAE-48A7-BE19-35A2B0234BE6}"= Disabled:TCP:C:\Users\Daniel Bellinger\AppData\Local\Temp\7zSEC41.tmp\setup\HPZnui01.exe:hpznui01.exe
"{02BB90EC-28E9-41F4-9D44-EF6D4171067C}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{1B84DC7B-716E-4DA1-A5C6-3664F2A51DEF}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"TCP Query User{207DA81E-14E1-4D0B-9EF7-DDDB5EB55A7F}C:\\program files\\aim6\\aim6.exe"= UDP:C:\program files\aim6\aim6.exe:AIM
"UDP Query User{38C46749-DE6B-492D-9F85-324FA1A28D78}C:\\program files\\aim6\\aim6.exe"= TCP:C:\program files\aim6\aim6.exe:AIM
"TCP Query User{13A7E9A3-F727-4AB4-BDE3-88ABB093D3F6}C:\\program files\\participatory culture foundation\\miro\\xulrunner\\python\\miro_downloader.exe"= UDP:C:\program files\participatory culture foundation\miro\xulrunner\python\miro_downloader.exe:Miro_Downloader
"UDP Query User{59770F8C-4120-4EF1-94E9-3C592E3BFD3D}C:\\program files\\participatory culture foundation\\miro\\xulrunner\\python\\miro_downloader.exe"= TCP:C:\program files\participatory culture foundation\miro\xulrunner\python\miro_downloader.exe:Miro_Downloader
"TCP Query User{37E15889-C901-4358-8D03-A330A66938D8}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{AC667AC1-4281-48D3-9EB1-25DB95ADE440}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger

R0 MDFSYSNT;MacDrive file system driver;C:\Windows\system32\drivers\MDFSYSNT.sys [2008-02-12 08:58]
R0 MDPMGRNT;MDPMGRNT;C:\Windows\system32\drivers\MDPMGRNT.sys [2007-02-28 11:15]
R2 AppleOSSMgr;Apple OS Switch Manager;C:\Windows\system32\AppleOSSMgr.exe [2008-04-15 16:46]
R2 AppleTimeSrv;Apple Time Service;C:\Windows\system32\AppleTimeSrv.exe [2008-04-15 16:46]
R2 HPSLPSVC;HP Network Devices Support;C:\Windows\system32\svchost.exe [2008-01-19 02:33]
R2 KeyAgent;KeyAgent;C:\Windows\system32\drivers\KeyAgent.sys [2008-04-15 16:46]
R2 MacDriveService;MacDriveService;"C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe" [2007-05-01 14:55]
R2 MacHALDriver;Mac HAL;C:\Windows\system32\drivers\MacHALDriver.sys [2008-04-15 16:46]
R3 aapltctp;Apple Trackpad Enabler;C:\Windows\system32\DRIVERS\aapltctp.sys [2007-10-08 20:56]
R3 aapltp;Apple Trackpad;C:\Windows\system32\DRIVERS\aapltp.sys [2007-10-08 20:56]
R3 applebt;Apple Built-in Bluetooth;C:\Windows\system32\DRIVERS\applebt.sys [2008-04-15 15:29]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\Windows\system32\DRIVERS\IRFilter.sys [2008-04-15 15:31]
R3 KeyMagic;USB Keyboard HID Filter;C:\Windows\system32\DRIVERS\KeyMagic.sys [2008-04-15 15:30]
R3 Pxrmcet;Pxrmcet;C:\Windows\system32\DRIVERS\Pxrmcet.sys [2008-03-13 17:42]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 09:51]
S3 BthKicker;Apple Bluetooth Device Driver;C:\Windows\system32\DRIVERS\BthKicker.sys [2007-10-08 20:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
GPSvcGroup REG_MULTI_SZ GPSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
"2008-06-18 22:28:09 C:\Windows\Tasks\User_Feed_Synchronization-{F13E046A-79BD-4ED5-B42F-BEEE8B08D374}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-19 16:37:23
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> ?:\Windows\system32\thumbcache.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Proxure\MCE Tunes Pro\MCETunesExtenderSupport.exe
C:\Windows\System32\IoctlSvc.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Proxure\MCE Tunes Pro\ProxureQTHost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-06-19 16:48:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-19 21:47:55

Pre-Run: 2,229,764,096 bytes free
Post-Run: 1,840,697,344 bytes free

326 --- E O F --- 2008-06-19 20:36:02

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:15 PM

Posted 19 June 2008 - 05:09 PM

Hello Blacknote,

Looks quite good. :thumbsup:

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following, if still present :O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u6.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windowsi586-p.exe to install the newest version.
No more problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 Blacknote

Blacknote
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 19 June 2008 - 06:05 PM

I believe that worked!!! Thank you sooooo much for all of your help!

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:15 PM

Posted 20 June 2008 - 02:26 AM

Glad we could help, Blacknote :thumbsup:


Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users