Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Infection


  • This topic is locked This topic is locked
30 replies to this topic

#1 Ian66

Ian66

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 01 July 2008 - 04:18 PM

Hi

Hopefully one of you wonderful people out there will be able to help me here!

My problems started yesterday (monday) morning - I was working from home, dialled into work through a VPN connection when suddenly all my telnet sessions dropped.
I went into my network connections to re-connect, only to find that my work connection had been deleted, and a new connection called 'internet' had been created.

I deleted that, and re-created my work connection, and carried on working - possibly a bit daft but I was in the middle of something urgent, so didnt really stop to think about what I was doing.

I then started having problems connecting to any google sites, particularly google mail.

This was the point where I realised I really shouldn't have let my anti-virus software get so out of date!

So......I un-installed McAfee which had come with my laptop and which had expired, and downloaded & installed AVG 8.0.

Virus scan revealed about 4 infected files, and a few tracking cookies, all of which it was able to delete successfully.

However, I still had the google connection problems. I then ran a rootkit scan, and it came up with


File c:\WINDOWS\System32\Drivers\as299597.SYS
Infection hidden driver
Result object is hidden

I clicked to delete this file, and got the message

Object is hidden by a rootkit technique (which is usually used my malicious software). Do you really want to remove it?

At this point, I clicked 'No', turned to google on another machine, and hence ended up here

Any help which you are able to offer will be very much appreciated!!

DSS logs are attached, I will do a Kaspersky scan overnight and post in the morning, although my AVG scan shows no errors other than the hidden file already mentioned

Thanks again

Ian

****************************************************************


Deckard's System Scanner v20071014.68
Run by Ian on 2008-07-01 21:34:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
67: 2008-07-01 20:35:12 UTC - RP221 - Deckard's System Scanner Restore Point
66: 2008-07-01 17:16:41 UTC - RP220 - Move file to quarantine: eewaaiqb.dll
65: 2008-07-01 17:15:16 UTC - RP219 - Move file to quarantine: frbpqytj.dll
64: 2008-07-01 17:11:27 UTC - RP218 - Move file to quarantine: qoMcYRIx.dll
63: 2008-07-01 12:17:10 UTC - RP217 - Installed AVG 8.0


-- First Restore Point --
1: 2008-06-28 09:21:47 UTC - RP155 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Ian.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:40:29, on 01/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\WINDOWS\Explorer.EXE
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Garmin\gStart.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Ian\Desktop\dss.exe
C:\DOCUME~1\Ian\Desktop\Ian.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2071115
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2071115
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2071115
O1 - Hosts: 172.16.48.1 antares
O1 - Hosts: 172.16.48.2 shiva
O1 - Hosts: 172.16.48.3 poohcorner
O1 - Hosts: 172.16.48.4 vialli
O1 - Hosts: 172.16.48.5 ganesh
O1 - Hosts: 100.74.80.32 atlas
O1 - Hosts: 137.223.65.8 globe
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - C:\WINDOWS\system32\ytnkohwo.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5BC9278E-EE50-4C8A-ACBF-00AE772FB866} - C:\WINDOWS\system32\bhtlecol.dll (file missing)
O2 - BHO: (no name) - {75004187-0143-44D9-8B4F-F0FDEEC5582A} - C:\WINDOWS\system32\nnnnOhGa.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7D3C7FA8-2270-4E6E-8758-87F33B8B3721} - C:\WINDOWS\system32\ssqPfdEW.dll (file missing)
O2 - BHO: {d5b3f7ce-a7df-5888-8784-c4542713cf68} - {86fc3172-454c-4878-8885-fd7aec7f3b5d} - C:\WINDOWS\system32\mxocsc.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {A5CC051F-7E99-4A7C-8F00-BCBC06D90703} - C:\WINDOWS\system32\ssqpMeCV.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {E684A5F2-4406-47AC-9E83-B3F36045505B} - C:\WINDOWS\system32\qoMcYRIx.dll (file missing)
O2 - BHO: (no name) - {F6F4C721-D7B5-4C06-8EA9-F01DFBB11ABd} - C:\WINDOWS\system32\bhtlecol.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BM03835f71] Rundll32.exe "C:\WINDOWS\system32\eewaaiqb.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://laptop:8889/forms/jinitiator/jinit.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll
O20 - Winlogon Notify: ssqPfdEW - ssqPfdEW.dll (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Ian\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 15703 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.6.0.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.6.0.0>
R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys <Not Verified; Broadcom Corporation.; Bluetooth Software 5.0.1.2609>
R2 DVDRIVER - c:\windows\system32\drivers\dvdriver.sys <Not Verified; Eagletron Inc.; DVdriver>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 btwmodem (Bluetooth Modem) - c:\windows\system32\drivers\btwmodem.sys <Not Verified; Broadcom Corporation.; Bluetooth Software 5.0.1.2609>
R3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
R3 DXEC02 - c:\windows\system32\drivers\dxec02.sys <Not Verified; Knowles Acoustics; DXEC.02 Speech Enhancement>
R3 MEMSWEEP2 - c:\windows\system32\a1.tmp (file missing)

S2 WebCamDV (WebCamDV DV to Webcam Converter) - c:\windows\system32\drivers\webcamdv.sys (file missing)
S3 btwhid - c:\windows\system32\drivers\btwhid.sys <Not Verified; Broadcom Corporation.; Bluetooth Software 5.0.1.2609>
S3 grmnusb - c:\windows\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS>
S3 WCDV_Aud (WevCamDV WDM Virtual Audio Device) - c:\windows\system32\drivers\wcdvaud.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 HCLInetd (Hummingbird Inetd) - c:\windows\system32\hummingbird\connectivity\7.10\inetd\inetd32.exe <Not Verified; Hummingbird Ltd.; InetD>
R2 Jconfigd (Hummingbird Jconfig Daemon) - c:\windows\system32\hummingbird\connectivity\7.10\jconfig\jconfigdnt.exe <Not Verified; Hummingbird Ltd.; Jconfig>
R2 OracleServiceXE - c:\oraclexe\app\oracle\product\10.2.0\server\bin\oracle.exe xe <Not Verified; Oracle Corporation; >
R2 OracleXETNSListener - c:\oraclexe\app\oracle\product\10.2.0\server\bin\tnslsnr.exe
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 sprtsvc_dellsupportcenter (SupportSoft Sprocket Service (dellsupportcenter)) - c:\program files\dell support center\bin\sprtsvc.exe /service /p dellsupportcenter
R2 StarWindServiceAE (StarWind AE Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>
R2 WLANKEEPER (Intel® PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSO Service>

S2 SessionLauncher - c:\docume~1\ian\locals~1\temp\dx9\sessionlauncher.exe (file missing)
S3 DSBrokerService - "c:\program files\dellsupport\brkrsvc.exe" <Not Verified; ; Gteko BrkrSvc Application>
S3 OracleMTSRecoveryService - c:\oraclexe\app\oracle\product\10.2.0\server\bin\omtsreco.exe "oraclemtsrecoveryservice" <Not Verified; Oracle Corporation; Oracle MTS Recovery Service>
S3 OracleXEClrAgent - c:\oraclexe\app\oracle\product\10.2.0\server\bin\oraclragnt.exe agent_sid=clrextproc max_dispatchers=2 tcp_dispatchers=0 max_task_threads=6 max_sessions=25
S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>
S4 OracleJobSchedulerXE - c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe xe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-28 19:47:07 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-01 and 2008-07-01 -----------------------------

2008-07-01 19:41:53 0 d-------- C:\Program Files\Sophos
2008-07-01 13:24:30 0 d--h----- C:\$AVG8.VAULT$
2008-07-01 13:17:39 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-01 13:17:39 0 d-------- C:\Documents and Settings\Ian\Application Data\AVGTOOLBAR
2008-07-01 12:05:31 0 d-------- C:\Program Files\AVG
2008-07-01 12:05:30 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-01 10:54:03 103424 --a------ C:\WINDOWS\system32\mxocsc.dll
2008-07-01 10:54:02 103424 --a------ C:\WINDOWS\system32\bhglgucd.dll
2008-07-01 10:53:02 553613 --ahs---- C:\WINDOWS\system32\xIRYcMoq.ini2
2008-07-01 09:54:13 103424 --a------ C:\WINDOWS\system32\msvwnt.dll
2008-07-01 09:54:10 103424 --a------ C:\WINDOWS\system32\cvwfbtsi.dll
2008-07-01 09:51:10 81408 --a------ C:\WINDOWS\system32\oqgmoyvt.dll
2008-07-01 09:45:16 90624 --a------ C:\WINDOWS\system32\nlpakyum.dll
2008-07-01 08:57:10 554417 --ahs---- C:\WINDOWS\system32\VCeMpqss.ini2
2008-06-30 23:08:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-30 22:26:02 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-06-30 22:25:54 0 d-------- C:\Program Files\Security Task Manager
2008-06-30 21:12:37 0 d-------- C:\Documents and Settings\Ian\.housecall6.6
2008-06-30 06:45:39 554031 --ahs---- C:\WINDOWS\system32\uFihPqru.ini2
2008-06-29 12:07:56 553615 --ahs---- C:\WINDOWS\system32\OVEgNXbc.ini2
2008-06-29 07:25:15 553600 --ahs---- C:\WINDOWS\system32\iihkQXbc.ini2
2008-06-28 10:21:36 557707 --ahs---- C:\WINDOWS\system32\aGhOnnnn.ini2
2008-06-28 08:56:58 0 d-------- C:\Documents and Settings\Lara\Application Data\CyberLink
2008-06-21 22:17:41 0 d-------- C:\Program Files\QuickTime
2008-06-21 22:17:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-21 13:47:05 0 d-------- C:\Program Files\KaraFun
2008-06-21 13:47:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Recisio
2008-06-14 07:22:35 0 d-------- C:\Program Files\Platform Studio
2008-06-14 07:12:52 0 d-------- C:\Program Files\Game_Maker7
2008-06-12 14:31:15 0 d-------- C:\scheduler
2008-06-02 13:25:40 0 d-------- C:\Program Files\Classic Menu for Office


-- Find3M Report ---------------------------------------------------------------

2008-07-01 17:33:04 0 d-------- C:\Documents and Settings\Ian\Application Data\OpenOffice.org2
2008-07-01 16:54:39 0 d-------- C:\Program Files\Winamp Remote
2008-07-01 11:29:56 0 d-------- C:\Program Files\Common Files
2008-07-01 11:29:13 0 d-------- C:\Program Files\McAfee
2008-06-29 07:34:27 0 d-------- C:\Program Files\RocketDock
2008-06-28 10:07:06 0 d-------- C:\Documents and Settings\Ian\Application Data\uTorrent
2008-06-24 07:17:26 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-06-21 14:36:35 0 d-------- C:\Program Files\uTorrent
2008-06-21 07:45:14 0 d-------- C:\Program Files\Guitar Hero Explorer
2008-06-19 09:30:38 0 d-------- C:\Documents and Settings\Ian\Application Data\Mozilla
2008-06-16 19:23:14 0 d-------- C:\Documents and Settings\Ian\Application Data\FileZilla
2008-06-16 08:17:48 0 d-------- C:\Program Files\FileZilla Client
2008-06-12 15:41:11 0 d-------- C:\Documents and Settings\Ian\Application Data\SQL Developer
2008-06-02 13:51:35 0 d-------- C:\Program Files\MagicDVDRipper
2008-05-29 07:58:25 0 d-------- C:\Program Files\HyCam2
2008-05-25 06:47:05 135571 --a------ C:\WINDOWS\system32\nvModes.dat
2008-05-24 07:42:03 0 d-------- C:\Program Files\Frets on Fire
2008-05-19 18:25:45 0 d-------- C:\Documents and Settings\Ian\Application Data\Thunderbird
2008-05-10 23:00:59 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-06 15:05:04 0 d-------- C:\Program Files\PLSQL Developer
2008-04-08 15:15:02 5632 --a------ C:\Documents and Settings\Ian\Application Data\DMX.bmk


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{514A5C49-0C7D-42c3-A71B-38864A269B7A}]
C:\WINDOWS\system32\ytnkohwo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BC9278E-EE50-4C8A-ACBF-00AE772FB866}]
C:\WINDOWS\system32\bhtlecol.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75004187-0143-44D9-8B4F-F0FDEEC5582A}]
C:\WINDOWS\system32\nnnnOhGa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D3C7FA8-2270-4E6E-8758-87F33B8B3721}]
C:\WINDOWS\system32\ssqPfdEW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86fc3172-454c-4878-8885-fd7aec7f3b5d}]
01/07/2008 10:54 103424 --a------ C:\WINDOWS\system32\mxocsc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
01/07/2008 13:17 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A5CC051F-7E99-4A7C-8F00-BCBC06D90703}]
C:\WINDOWS\system32\ssqpMeCV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E684A5F2-4406-47AC-9E83-B3F36045505B}]
C:\WINDOWS\system32\qoMcYRIx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6F4C721-D7B5-4C06-8EA9-F01DFBB11ABd}]
C:\WINDOWS\system32\bhtlecol.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [04/10/2007 21:06 1135968]

[-HKEY_CLASSES_ROOT\CLSID\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [09/07/2007 23:21]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/06/2007 16:34]
"nwiz"="nwiz.exe" [06/06/2007 16:35 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [06/06/2007 16:34 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [06/06/2007 16:34]
"SigmatelSysTrayApp"="stsystra.exe" [09/07/2007 23:03 C:\WINDOWS\stsystra.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [21/02/2007 12:19]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [21/02/2007 12:17]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [02/11/2006 15:05]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [03/10/2006 12:35]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [11/09/2006 05:40]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [16/04/2007 17:10]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [15/11/2007 10:24]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [15/11/2007 15:26]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [24/05/2007 08:03]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/01/2007 22:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 05:25]
"@"="" []
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [24/08/2007 16:52]
"DMXLauncher"="C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" [14/08/2007 04:44]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [15/11/2007 10:23]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [27/05/2008 10:50]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [01/07/2008 13:17]
"BM03835f71"="C:\WINDOWS\system32\eewaaiqb.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [15/03/2007 13:09]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [19/11/2007 22:44]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [07/01/2008 21:02]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [15/11/2007 10:23]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 06:00]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]
"gStart"="C:\Garmin\gStart.exe" [06/09/2006 11:05]

C:\Documents and Settings\Ian\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [17/08/2007 22:57:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [24/05/2006 19:28:28]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [15/11/2007 15:16:28]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [06/08/2003 14:23:32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{7D3C7FA8-2270-4E6E-8758-87F33B8B3721}"= C:\WINDOWS\system32\ssqPfdEW.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqPfdEW]
ssqPfdEW.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\qoMcYRIx


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2c3f495-96c3-11dc-b481-806d6172696f}]
AutoRun\command- D:\MEET_DAVE_(PC).exe

*Newly Created Service* - ISDRV122
*Newly Created Service* - MEMSWEEP2



-- Hosts -----------------------------------------------------------------------

127.0.0.1 localhost
192.168.2.1 wrouter
172.16.48.1 antares
172.16.48.2 shiva
172.16.48.3 poohcorner
172.16.48.4 vialli
172.16.48.5 ganesh
100.74.80.32 atlas
137.223.65.8 globe


-- End of Deckard's System Scanner: finished at 2008-07-01 21:42:00 ------------






Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU T5250 @ 1.50GHz
CPU 1: Intel® Core™2 Duo CPU T5250 @ 1.50GHz
Percentage of Memory in Use: 47%
Physical Memory (total/avail): 2046.11 MiB / 1066.99 MiB
Pagefile Memory (total/avail): 3937.77 MiB / 2601.9 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1915.4 MiB

C: is Fixed (NTFS) - 143.44 GiB total, 30.73 GiB free.
D: is CDROM (UDF)
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - TOSHIBA MK1637GSX - 149.05 GiB - 4 partitions
\PARTITION0 - Unknown - 109.79 MiB
\PARTITION1 (bootable) - Installable File System - 143.44 GiB - C:
\PARTITION2 - Extended w/Extended Int 13 - 2.5 GiB
\PARTITION3 - Unknown - 3 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG Anti-Virus v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"="C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\Hummingbird\\Connectivity\\7.10\\Exceed\\exceed.exe"="C:\\Program Files\\Hummingbird\\Connectivity\\7.10\\Exceed\\exceed.exe:*:Enabled:X server for Win32"
"C:\\DevSuiteHome_1\\jdev\\bin\\jdevw.exe"="C:\\DevSuiteHome_1\\jdev\\bin\\jdevw.exe:*:Enabled:jdevw"
"C:\\Program Files\\Eagletron\\DVdriver\\dvdriver.exe"="C:\\Program Files\\Eagletron\\DVdriver\\dvdriver.exe:*:Enabled:dvdriver application"
"C:\\Documents and Settings\\Ian\\Local Settings\\Temp\\rld11.exe"="C:\\Documents and Settings\\Ian\\Local Settings\\Temp\\rld11.exe:*:Enabled:UK Provider"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ian\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ian
LOGONSERVER=\\LAPTOP
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Java\jre1.5.0_06\bin;C:\DevSuiteHome_1\jdk\jre\bin\classic;C:\DevSuiteHome_1\jdk\jre\bin;C:\DevSuiteHome_1\jdk\jre\bin\client;C:\DevSuiteHome_1\jlib;C:\DevSuiteHome_1\bin;C:\DevSuiteHome_1\jre\1.4.2\bin\client;C:\DevSuiteHome_1\jre\1.4.2\bin;C:\oraclexe\app\oracle\product\10.2.0\server\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\Hummingbird\Connectivity\7.10\Accessories\;C:\Program Files\Common Files\Roxio Shared\10.0\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\10.0\DLLShared\;C:\Program Files\Samsung\Samsung PC Studio 3\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\10.0\Roxio Central36\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Ian\LOCALS~1\Temp
TMP=C:\DOCUME~1\Ian\LOCALS~1\Temp
USERDOMAIN=LAPTOP
USERNAME=Ian
USERPROFILE=C:\Documents and Settings\Ian
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Ian (admin)
Lara (admin)
Beth (admin)
Ethan (admin)
Administrator (admin)
Guest (new local, guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {4F3FCD41-AD1C-4EE8-9D5C-35DBA58BA060}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
AVG 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
BAMZOOKi v3.1 (build 115.158) --> "C:\Program Files\BAMZOOKi\unins000.exe"
Broadcom Management Programs --> MsiExec.exe /I{C99C0593-3B48-41D9-B42F-6E035B320449}
Browser Address Error Redirector --> MsiExec.exe /I{62230596-37E5-4618-A329-0D21F529A86F}
Classic Menu 3.x for Office 2007 --> "C:\Program Files\Classic Menu for Office\unins000.exe"
Conexant HDA D330 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F\HXFSETUP.EXE -U -Idel000f5.inf
CuteFTP 8 Professional --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{91F34319-08DE-457A-99C0-0BCDFAC145B9}\Setup.exe" -l0x9
CyberSky --> C:\PROGRA~1\CyberSky\UNWISE.EXE C:\PROGRA~1\CyberSky\INSTALL.LOG
Dell Support Center --> MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
Dell Touchpad --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Digital Line Detect --> C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
DirectXInstallService --> MsiExec.exe /X{098122AB-C605-4853-B441-C0A4EB359B75}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVdriver Trial ver. 1.0.2.3 --> "C:\Program Files\Eagletron\DVdriver\unins000.exe"
EMC 10 Content --> MsiExec.exe /X{FDB46DE7-9045-47BB-970A-3E4ED5369E03}
FileZilla Client 3.0.11 --> C:\Program Files\FileZilla Client\uninstall.exe
FoxyTunes for Firefox --> "C:\PROGRA~1\Mozilla Firefox\firefox.exe" -chrome chrome://foxytunes/content/extras/uninstallExtension.xul
Frets On Fire --> "C:\Program Files\Frets on Fire\Uninstall.exe"
Game Maker 7.0 --> C:\Program Files\Game_Maker7\Uninstal.exe
Garmin City Navigator Europe NT v9 --> MsiExec.exe /X{200B415D-7CC6-4818-8624-9E43EDF19D9C}
Garmin Training Center v5 --> MsiExec.exe /X{DE659AC8-EEF0-4115-AA0C-6500D194FB10}
GNU Backgammon 0.15-stable (20061119 code) --> "C:\Program Files\gnubg\unins000.exe"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
GoogleTalk Sidebar Conference --> MsiExec.exe /I{BCBEB840-D76E-4F7B-94C4-A6AABAC75490}
Guitar Hero Explorer --> MsiExec.exe /I{2B072A33-D445-46D5-9442-7B41F5171AAC}
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Documents and Settings\Ian\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
Hummingbird Exceed V7.1 --> MsiExec.exe /I{CFBD3858-2164-42B0-84A2-576C18C85082}
HyperCam 2 --> "C:\Program Files\HyCam2\UnHyCam2.exe"
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
IntelliSonic Speech Enhancement --> MsiExec.exe /X{D1B5E9C8-4CCF-44E3-87D6-7C00D7DA5370}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
KaraFun 1.18 --> "C:\Program Files\KaraFun\unins000.exe"
Knowledge Xpert for PLSQL V8.6 --> C:\PROGRA~1\QUESTS~1\KNOWLE~1\PLSQL\UNWISE.EXE C:\PROGRA~1\QUESTS~1\KNOWLE~1\PLSQL\INSTALL.LOG
Knowledge Xpert for PLSQL V9.0 --> C:\PROGRA~1\QUESTS~1\KNOWLE~1\PLSQL\UNWISE.EXE C:\PROGRA~1\QUESTS~1\KNOWLE~1\PLSQL\INSTALL.LOG
Lexmark Z600 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBCUN5C.EXE -dLexmark Z600 Series
Magic DVD Ripper V5.2.1 build 6 --> "C:\Program Files\MagicDVDRipper\unins000.exe"
Magic ISO Maker v5.3 (build 0221) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Magic MP3 Tagger 2.2.4d --> "C:\Program Files\Magic MP3 Tagger\unins000.exe"
Main --> C:\Program Files\3 Vallées\Itineraire\Q3DUnInst.exe
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
MediaDirect --> C:\Program Files\InstallShield Installation Information\{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}\setup.exe -runfromtemp -l0x0009 -cluninstall
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Document Explorer 2005 --> C:\Program Files\Common Files\Microsoft Shared\Help 8\Microsoft Document Explorer 2005\install.exe
Microsoft Document Explorer 2005 --> MsiExec.exe /X{44D4AF75-6870-41F5-9181-662EA05507E1}
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office OneNote 2003 --> MsiExec.exe /I{90A10409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Project Professional 2003 --> MsiExec.exe /I{903B0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual SourceSafe 2005 - ENU --> "C:\Program Files\Microsoft Visual SourceSafe\Microsoft Visual SourceSafe 2005 - ENU\setup.exe"
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Modem Diagnostic Tool --> MsiExec.exe /I{F63A3748-B93D-4360-9AD4-B064481A5C7B}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.14) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSCfg --> MsiExec.exe /I{829CD169-E692-48E8-9BDE-A3E8D8B65538}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
NetWaiting --> C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OpenOffice.org 2.3 --> MsiExec.exe /I{2F29D6D2-824E-4FEF-8AED-7013F39F642A}
Oracle Data Provider for .NET Help --> MsiExec.exe /I{6AA003BF-73E5-4911-ADB7-71DD5674DDD4}
Oracle Database 10g Express Edition --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{F0BC0F9E-C4A8-485C-93ED-424DB9EA3F75} /l1033
Oracle JInitiator 1.3.1.22 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CAFECAFE-0013-0001-0122-ABCDEFABCDEF}\Setup.exe" -l0x9 -uninst
OutlookAddinSetup --> MsiExec.exe /I{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}
Platform Studio 3.2 Standard Edition --> "C:\Program Files\Platform Studio\unins000.exe"
PSP Video 9 2.25 --> C:\Program Files\Red Kawa\Video Converter\uninstaller.exe
Qexplain2full --> MsiExec.exe /I{67CF58F5-DBA4-4340-99EA-D71BC07D23EE}
Quest Software Toad for Oracle Version 8.6 --> C:\PROGRA~1\QUESTS~1\TOADFO~1\UNINST~1.EXE
Quest Software Toad for Oracle Version 9.0.1 --> C:\PROGRA~1\QUESTS~1\TOADFO~1\UNINST~1.EXE
Quest SQL Tuning --> C:\PROGRA~1\QUESTS~1\TOADFO~1\TUNING~1\UNWISE.EXE C:\PROGRA~1\QUESTS~1\TOADFO~1\TUNING~1\INSTALL.LOG
Quest SQL Tuning for Oracle --> C:\PROGRA~1\QUESTS~1\TOADFO~1\TUNING~1\UNWISE.EXE C:\PROGRA~1\QUESTS~1\TOADFO~1\TUNING~1\install.log
QuickSet --> C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe -runfromtemp -l0x0009 APPDRVNT4 -removeonly
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
RocketDock 1.3.5 --> "C:\Program Files\RocketDock\unins000.exe"
Roxio Activation Module --> MsiExec.exe /I{EC877639-07AB-495C-BFD1-D63AF9140810}
Roxio BackOnTrack --> MsiExec.exe /I{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}
Roxio Central Audio --> MsiExec.exe /I{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}
Roxio Central Copy --> MsiExec.exe /I{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}
Roxio Central Core --> MsiExec.exe /I{ED439A64-F018-4DD4-8BA5-328D85AB09AB}
Roxio Central Data --> MsiExec.exe /I{08E81ABD-79F7-49C2-881F-FD6CB0975693}
Roxio Central Tools --> MsiExec.exe /I{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}
Roxio CinePlayer --> MsiExec.exe /I{1B683082-8791-4D00-8ADE-6C8986FCCC68}
Roxio CinePlayer Decoder Pack --> MsiExec.exe /I{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}
Roxio Disc Gallery --> MsiExec.exe /I{3E67A8DA-FE7B-4160-8465-F5571EA18753}
Roxio Easy Media Creator 10 Suite --> MsiExec.exe /I{BF83EFE2-C9F0-40D4-841C-2066668C1D7A}
Roxio File Backup --> MsiExec.exe /I{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}
Roxio MediaShare --> MsiExec.exe /I{9A9A1828-31D1-4590-A99F-022B7237AFAE}
Roxio Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SAMSUNG CDMA Modem Driver Set --> C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
SAMSUNG Mobile Composite Device Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\6\SSBCUninstall.exe
Samsung Mobile phone USB driver Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio 3 --> "C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -runfromtemp -l0x0009 -removeonly
SearchAssist --> C:\DELL\SearchAssist\UninstSA.bat
Security Task Manager 1.7f --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sky Anytime --> MsiExec.exe /X{DD30C2FD-F485-46A8-8153-88EC2650BC79}
SmartSound Quicktracks Plugin --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
Sonic Activation Module --> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
Sony Vegas Movie Studio 8.0 --> MsiExec.exe /X{6D3A42EA-DFD9-4E8A-A9DC-3DE9B162BEDD}
Sophos Anti-Rootkit 1.3.1 --> C:\Program Files\Sophos\Sophos Anti-Rootkit\helper.exe remove
SportTracks 2.0 --> MsiExec.exe /I{DBB86FEF-CA7B-4A63-AE37-BA774D799168}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TextPad 5 --> MsiExec.exe /X{B6EC7388-E277-4A5B-8C8F-71067A41BA64}
The Sims 2 --> C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
The Sims 2 Open For Business --> C:\Program Files\EA GAMES\The Sims 2 Open For Business\EAUninstall.exe
Tiscali Internet --> MsiExec.exe /I{58B2B6D3-E5FF-4D16-87AC-52CC5717C7C6}
Virtual Villagers --> "C:\Program Files\MSN Games\Virtual Villagers\Uninstall.exe" "C:\Program Files\MSN Games\Virtual Villagers\install.log"
VNC Free Edition 4.1.2 --> "C:\Program Files\RealVNC\VNC4\unins000.exe"
WIDCOMM Bluetooth Software --> MsiExec.exe /X{3F4EC965-28EF-45C3-B063-04B25D4E9679}
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Winamp Remote --> "C:\Program Files\Winamp Remote\uninstall.exe"
Winamp Toolbar --> "C:\Program Files\Winamp Toolbar\uninstall.exe"
Windows Installer Clean Up --> MsiExec.exe /I{121634B0-2F4A-11D3-ADA3-00C04F52DD53}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
XP Codec Pack --> C:\Program Files\XP Codec Pack\Uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type8702 / Warning
Event Submitted/Written: 07/01/2008 11:00:44 AM
Event ID/Source: 32066 / Microsoft Fax
Event Description:
At least one of the devices in the outgoing routing group is not valid.
Group name: '<All devices>'

Event Record #/Type8590 / Error
Event Submitted/Written: 07/01/2008 00:06:26 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application spybotsd.exe, version 1.5.2.20, faulting module spybotsd.exe, version 1.5.2.20, fault address 0x002e609b.
Processing media-specific event for [spybotsd.exe!ws!]

Event Record #/Type8589 / Error
Event Submitted/Written: 07/01/2008 00:06:20 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application spybotsd.exe, version 1.5.2.20, faulting module kernel32.dll, version 5.1.2600.3119, fault address 0x00012a5b.
Processing media-specific event for [spybotsd.exe!ws!]

Event Record #/Type8588 / Error
Event Submitted/Written: 07/01/2008 00:06:11 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application spybotsd.exe, version 1.5.2.20, faulting module kernel32.dll, version 5.1.2600.3119, fault address 0x00012a5b.
Processing media-specific event for [spybotsd.exe!ws!]

Event Record #/Type8586 / Error
Event Submitted/Written: 06/30/2008 10:27:25 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module ole32.dll, version 5.1.2600.2726, fault address 0x0003030f.
Processing media-specific event for [explorer.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type26799 / Error
Event Submitted/Written: 07/01/2008 05:28:34 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The WebCamDV DV to Webcam Converter service failed to start due to the following error:
%%2

Event Record #/Type26798 / Error
Event Submitted/Written: 07/01/2008 05:28:34 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SessionLauncher service failed to start due to the following error:
%%2

Event Record #/Type26797 / Warning
Event Submitted/Written: 07/01/2008 05:28:02 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 001CBF373C3F. The IP address being used is 169.254.7.18.

Event Record #/Type26796 / Warning
Event Submitted/Written: 07/01/2008 05:27:39 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001CBF373C3F. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type26764 / Error
Event Submitted/Written: 07/01/2008 01:59:53 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The WebCamDV DV to Webcam Converter service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-07-01 21:42:00 ------------

BC AdBot (Login to Remove)

 


m

#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:27 PM

Posted 01 July 2008 - 07:06 PM

Hi, Ian66 :thumbsup:

Welcome.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Ian66

Ian66
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 03 July 2008 - 03:51 PM

JSntgRvr - many many thanks for helping out with this!

ok, here we go

Kapersky log from prior to running ComboFix

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, July 3, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 01, 2008 21:46:32
Records in database: 903012
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 153051
Threat name: 4
Infected objects: 24
Suspicious objects: 0
Duration of the scan: 08:04:22


File name / Threat name / Threats count
C:\Program Files\RealVNC\VNC4\WinVNC4.exe/C:\Program Files\RealVNC\VNC4\WinVNC4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Documents and Settings\All Users\Application Data\SecTaskMan\cseveyxq.dll.q_8046801_q Infected: Trojan.Win32.Obfuscated.auw 1
C:\Documents and Settings\All Users\Application Data\SecTaskMan\dvgepa.dll.q_8049401_q Infected: Trojan.Win32.Monderc.gen 1
C:\Documents and Settings\All Users\Application Data\SecTaskMan\eewaaiqb.dll.q_8046201_q Infected: Trojan.Win32.Monderc.gen 1
C:\Documents and Settings\All Users\Application Data\SecTaskMan\frbpqytj.dll.q_8043E01_q Infected: Trojan.Win32.Monderc.gen 1
C:\Documents and Settings\All Users\Application Data\SecTaskMan\nnnnOhGa.dll.q_804E004_q Infected: Trojan.Win32.Monder.wi 1
C:\Documents and Settings\All Users\Application Data\SecTaskMan\qoMcYRIx.dll.q_804DE04_q Infected: Trojan.Win32.Monderc.gen 1
C:\Documents and Settings\Ian\Local Settings\Temporary Internet Files\Content.IE5\KY83D7RR\kb456456[1] Infected: Trojan.Win32.Monderc.gen 1
C:\Documents and Settings\Ian\Local Settings\Temporary Internet Files\Content.IE5\OTNMJXRF\kb671231[1] Infected: Trojan.Win32.Monderc.gen 1
C:\Documents and Settings\Ian\Local Settings\Temporary Internet Files\Content.IE5\YZJVD7W4\kb767887[1] Infected: Trojan.Win32.Monderc.gen 1
C:\Documents and Settings\Ian\My Documents\My Downloads\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\WINDOWS\system32\bhglgucd.dll Infected: Trojan.Win32.Monderc.gen 1
C:\WINDOWS\system32\cvwfbtsi.dll Infected: Trojan.Win32.Monderc.gen 1
C:\WINDOWS\system32\msvwnt.dll Infected: Trojan.Win32.Monderc.gen 1
C:\WINDOWS\system32\mxocsc.dll Infected: Trojan.Win32.Monderc.gen 1
C:\WINDOWS\system32\nlpakyum.dll Infected: Trojan.Win32.Monderc.gen 1
C:\WINDOWS\system32\oqgmoyvt.dll Infected: Trojan.Win32.Monderc.gen 1

The selected area was scanned.



ComboFix


ComboFix 08-07-02.5 - Ian 2008-07-03 21:16:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015 [GMT 1:00]
Running from: C:\Documents and Settings\Ian\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM03835f71.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aGhOnnnn.ini
C:\WINDOWS\system32\aGhOnnnn.ini2
C:\WINDOWS\system32\bhglgucd.dll
C:\WINDOWS\system32\cvwfbtsi.dll
C:\WINDOWS\system32\dkvqvbia.ini
C:\WINDOWS\system32\fpniqxrd.ini
C:\WINDOWS\system32\fsnmjgca.ini
C:\WINDOWS\system32\iihkQXbc.ini
C:\WINDOWS\system32\iihkQXbc.ini2
C:\WINDOWS\system32\jtyqpbrf.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mmleqqyr.ini
C:\WINDOWS\system32\msvwnt.dll
C:\WINDOWS\system32\nlpakyum.dll
C:\WINDOWS\system32\oqgmoyvt.dll
C:\WINDOWS\system32\OVEgNXbc.ini
C:\WINDOWS\system32\OVEgNXbc.ini2
C:\WINDOWS\system32\pntdoapk.ini
C:\WINDOWS\system32\qrdooxmc.ini
C:\WINDOWS\system32\tvyomgqo.ini
C:\WINDOWS\system32\uFihPqru.ini
C:\WINDOWS\system32\uFihPqru.ini2
C:\WINDOWS\system32\VCeMpqss.ini
C:\WINDOWS\system32\VCeMpqss.ini2
C:\WINDOWS\system32\wiuruwbu.ini
C:\WINDOWS\system32\wwvgdngv.ini
C:\WINDOWS\system32\xIRYcMoq.ini
C:\WINDOWS\system32\xIRYcMoq.ini2

.
((((((((((((((((((((((((( Files Created from 2008-06-03 to 2008-07-03 )))))))))))))))))))))))))))))))
.

2008-07-01 21:10 . 2008-07-01 21:10 <DIR> d-------- C:\Deckard
2008-07-01 19:41 . 2008-07-01 19:41 <DIR> d-------- C:\Program Files\Sophos
2008-07-01 13:24 . 2008-07-03 20:14 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-01 13:17 . 2008-07-03 21:31 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-01 13:17 . 2008-07-01 13:17 <DIR> d-------- C:\Documents and Settings\Ian\Application Data\AVGTOOLBAR
2008-07-01 13:17 . 2008-07-01 13:17 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-01 13:17 . 2008-07-01 13:17 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-01 13:17 . 2008-07-01 13:17 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-07-01 13:17 . 2008-07-01 13:17 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-01 12:05 . 2008-07-01 12:05 <DIR> d-------- C:\Program Files\AVG
2008-07-01 12:05 . 2008-07-01 13:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-30 23:08 . 2008-06-30 23:08 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-30 23:08 . 2008-07-01 09:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-30 22:26 . 2008-07-03 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-06-30 22:25 . 2008-06-30 23:07 <DIR> d-------- C:\Program Files\Security Task Manager
2008-06-30 21:15 . 2008-07-01 10:20 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-30 21:12 . 2008-07-01 10:22 <DIR> d-------- C:\Documents and Settings\Ian\.housecall6.6
2008-06-28 22:23 . 2008-07-03 20:15 110,415 --a------ C:\WINDOWS\BM03835f71.xml
2008-06-28 08:59 . 2008-06-28 08:59 268 --ah----- C:\sqmdata12.sqm
2008-06-28 08:59 . 2008-06-28 08:59 244 --ah----- C:\sqmnoopt12.sqm
2008-06-28 08:56 . 2008-06-28 08:56 <DIR> d-------- C:\Documents and Settings\Lara\Application Data\CyberLink
2008-06-25 11:05 . 2008-06-25 11:05 0 --a------ C:\expdat.dmp.gz
2008-06-21 22:17 . 2008-06-21 22:18 <DIR> d-------- C:\Program Files\QuickTime
2008-06-21 22:17 . 2008-06-21 22:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-21 13:47 . 2008-06-21 13:47 <DIR> d-------- C:\Program Files\KaraFun
2008-06-21 13:47 . 2008-06-21 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Recisio
2008-06-17 21:11 . 2008-06-17 21:11 268 --ah----- C:\sqmdata11.sqm
2008-06-17 21:11 . 2008-06-17 21:11 244 --ah----- C:\sqmnoopt11.sqm
2008-06-14 07:22 . 2008-06-21 14:17 <DIR> d-------- C:\Program Files\Platform Studio
2008-06-14 07:13 . 2008-06-14 07:13 0 --ah----- C:\WINDOWS\SwSys2.bmp
2008-06-14 07:13 . 2008-06-14 07:13 0 --ah----- C:\WINDOWS\SwSys1.bmp
2008-06-14 07:12 . 2008-06-14 07:12 <DIR> d-------- C:\Program Files\Game_Maker7
2008-06-12 14:31 . 2008-06-12 14:31 <DIR> d-------- C:\scheduler
2008-06-11 09:46 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 09:46 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-03 20:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-07-01 22:02 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-01 16:33 --------- d-----w C:\Documents and Settings\Ian\Application Data\OpenOffice.org2
2008-07-01 15:54 --------- d-----w C:\Program Files\Winamp Remote
2008-07-01 10:29 --------- d-----w C:\Program Files\McAfee
2008-07-01 10:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-29 06:34 --------- d-----w C:\Program Files\RocketDock
2008-06-28 09:07 --------- d-----w C:\Documents and Settings\Ian\Application Data\uTorrent
2008-06-28 08:01 --------- d-----w C:\Documents and Settings\Ethan\Application Data\uTorrent
2008-06-24 06:17 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-21 13:36 --------- d-----w C:\Program Files\uTorrent
2008-06-21 06:45 --------- d-----w C:\Program Files\Guitar Hero Explorer
2008-06-16 18:23 --------- d-----w C:\Documents and Settings\Ian\Application Data\FileZilla
2008-06-16 07:17 --------- d-----w C:\Program Files\FileZilla Client
2008-06-12 14:41 --------- d-----w C:\Documents and Settings\Ian\Application Data\SQL Developer
2008-06-02 12:51 --------- d-----w C:\Program Files\MagicDVDRipper
2008-06-02 12:25 --------- d-----w C:\Program Files\Classic Menu for Office
2008-05-29 06:58 --------- d-----w C:\Program Files\HyCam2
2008-05-25 11:19 --------- d-----w C:\Documents and Settings\Ethan\Application Data\OnReally
2008-05-25 06:21 0 ----a-w C:\Documents and Settings\Guest\Application Data\wklnhst.dat
2008-05-25 06:21 --------- d-----w C:\Documents and Settings\Guest\Application Data\Template
2008-05-25 05:49 --------- d-----w C:\Documents and Settings\Guest\Application Data\Thunderbird
2008-05-25 05:47 --------- d-----w C:\Documents and Settings\Guest\Application Data\Roxio
2008-05-24 06:43 --------- d-----w C:\Documents and Settings\Ethan\Application Data\fretsonfire
2008-05-24 06:42 --------- d-----w C:\Program Files\Frets on Fire
2008-05-20 05:47 --------- d-----w C:\Documents and Settings\Ethan\Application Data\Thunderbird
2008-05-19 17:25 --------- d-----w C:\Documents and Settings\Ian\Application Data\Thunderbird
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-06 14:05 --------- d-----w C:\Program Files\PLSQL Developer
2007-12-18 08:58 1,071,978 ----a-w C:\Program Files\WoW-2.0.0-enGB-Installer-downloader.exe
2007-11-21 07:52 0 ----a-w C:\Documents and Settings\Ethan\Application Data\wklnhst.dat
2004-11-01 10:19 3,118,262 ----a-w C:\Program Files\Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4c5a-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-10-04 21:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-10-04 21:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 13:09 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-19 22:44 68856]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 21:02 495616]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"gStart"="C:\Garmin\gStart.exe" [2006-09-06 11:05 1891416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-09 23:21 851968]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-06 16:34 8429568]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-06 16:34 81920]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 12:19 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 12:17 970752]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 15:05 282624]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 12:35 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 05:40 86960]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-04-16 17:10 184320]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-15 15:26 1862144]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-24 08:03 17920]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 22:22 3739648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 16:52 240112]
"DMXLauncher"="C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 04:44 113136]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-01 13:17 1231128]
"nwiz"="nwiz.exe" [2007-06-06 16:35 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-06-06 16:34 67584 C:\WINDOWS\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2007-07-09 23:03 405504 C:\WINDOWS\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]

C:\Documents and Settings\Ian\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 19:28:28 622653]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-11-15 15:16:28 50688]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 14:23:32 51776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Hummingbird\\Connectivity\\7.10\\Exceed\\exceed.exe"=
"C:\\DevSuiteHome_1\\jdev\\bin\\jdevw.exe"=
"C:\\Program Files\\Eagletron\\DVdriver\\dvdriver.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-07-01 13:17]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-01 13:17]
R1 c2scsi;c2scsi;C:\WINDOWS\system32\drivers\c2scsi.sys [2007-01-10 13:00]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-01 13:17]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-01 13:17]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-01 13:17]
R2 DVDRIVER;DVdriver;C:\WINDOWS\system32\DRIVERS\dvdriver.sys [2005-08-29 17:43]
R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE []
R2 OracleXETNSListener;OracleXETNSListener;C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe [2006-02-02 01:49]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe" [2007-08-24 16:52]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
R3 DXEC02;DXEC02;C:\WINDOWS\system32\drivers\dxec02.sys [2006-11-02 13:31]
R3 RoxMediaDB10;RoxMediaDB10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe" [2007-08-24 16:52]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;"C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe" [2007-08-24 16:53]
S2 RoxLiveShare10;LiveShare P2P Server 10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" [2007-08-24 16:52]
S2 SessionLauncher;SessionLauncher;C:\DOCUME~1\Ian\LOCALS~1\Temp\DX9\SessionLauncher.exe []
S2 WebCamDV;WebCamDV DV to Webcam Converter;C:\WINDOWS\system32\DRIVERS\WebCamDV.sys []
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\A1.tmp []
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;"C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe" [2007-08-24 16:53]
S3 WCDV_Aud;WevCamDV WDM Virtual Audio Device;C:\WINDOWS\system32\drivers\wcdvaud.sys []
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE []

.
Contents of the 'Scheduled Tasks' folder
"2008-06-28 18:47:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{514A5C49-0C7D-42c3-A71B-38864A269B7A} - C:\WINDOWS\system32\ytnkohwo.dll
BHO-{5BC9278E-EE50-4C8A-ACBF-00AE772FB866} - C:\WINDOWS\system32\bhtlecol.dll
BHO-{75004187-0143-44D9-8B4F-F0FDEEC5582A} - C:\WINDOWS\system32\nnnnOhGa.dll
BHO-{7D3C7FA8-2270-4E6E-8758-87F33B8B3721} - C:\WINDOWS\system32\ssqPfdEW.dll
BHO-{86fc3172-454c-4878-8885-fd7aec7f3b5d} - C:\WINDOWS\system32\mxocsc.dll
BHO-{A5CC051F-7E99-4A7C-8F00-BCBC06D90703} - C:\WINDOWS\system32\ssqpMeCV.dll
BHO-{E684A5F2-4406-47AC-9E83-B3F36045505B} - C:\WINDOWS\system32\qoMcYRIx.dll
BHO-{F6F4C721-D7B5-4C06-8EA9-F01DFBB11ABd} - C:\WINDOWS\system32\bhtlecol.dll
HKLM-Run-BM03835f71 - C:\WINDOWS\system32\eewaaiqb.dll
ShellExecuteHooks-{7D3C7FA8-2270-4E6E-8758-87F33B8B3721} - C:\WINDOWS\system32\ssqPfdEW.dll
Notify-ssqPfdEW - ssqPfdEW.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-03 21:31:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\Ian\LOCALS~1\Temp\JETF841.tmp

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\A1.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\oracle.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
.
**************************************************************************
.
Completion time: 2008-07-03 21:39:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-03 20:39:16

Pre-Run: 32,837,894,144 bytes free
Post-Run: 33,399,119,872 bytes free

284 --- E O F --- 2008-06-20 14:37:29





HijackThis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:46:53, on 03/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\KADxMain.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Garmin\gStart.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ian\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2071115
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2071115
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://laptop:8889/forms/jinitiator/jinit.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Ian\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 14012 bytes

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:27 PM

Posted 03 July 2008 - 05:35 PM

Lets check for remnants:

Posted Image Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Ian66

Ian66
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 04 July 2008 - 02:45 AM

I downloaded this software OK, but was unable to run the update, the window that was trying to conect just hung and I had to eventually close it.

I then ran the scan anyway, the version I ran on was from 28/06 - here is the log

Malwarebytes' Anti-Malware 1.19
Database version: 899
Windows 5.1.2600 Service Pack 2

08:41:33 04/07/2008
mbam-log-7-4-2008 (08-41-33).txt

Scan type: Quick Scan
Objects scanned: 49088
Time elapsed: 3 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:27 PM

Posted 04 July 2008 - 07:10 PM

How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Ian66

Ian66
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 05 July 2008 - 03:41 AM

Hi

computer seems fine now - I can access google mail, and google search. Thank You very much!!!!

I do still have an outstanding query though:

AVG 8.0 rootkit scan still finds a file hidden by a rootkit - I do not know whether I should remove it or not

The file is named c:\Windows\System32\Drivers\abfk35cq.SYS

When I click to remove, I get the message

Obkect is hidden by a root technique (which is usually used by malicious software). Do you really want to remove it?

At this point, I click no.

Any thoughts or advice on this?

Thanks

Ian

#8 Ian66

Ian66
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 05 July 2008 - 06:11 AM

actually, there is still some strange behaviour going, I noticed it start happening just in the last few days since I seem to have picked up this virus

occasionally when I try and connect to some web pages, I get this mesage displayed


Connection Interrupted

The document contains no data.

The network link was interrupted while negotiating a connection. Please try again.


Could this be a remnant of the problems I was having? it doesnt seem to be happening on the other laptop using the same internet connection

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:27 PM

Posted 05 July 2008 - 08:01 PM

Hi, Ian66 :thumbsup:

actually, there is still some strange behaviour going, I noticed it start happening just in the last few days since I seem to have picked up this virus

occasionally when I try and connect to some web pages, I get this mesage displayed


Connection Interrupted

The document contains no data.

The network link was interrupted while negotiating a connection. Please try again.


Could this be a remnant of the problems I was having? it doesnt seem to be happening on the other laptop using the same internet connection

How is your connection set. Any Router installed? Please explain.

Lets check for rootkits:

Please download gmer rootkit detector from the following link:

Link 1
  • Unzip it and double click the gmer.exe file
  • Select rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Press scan
  • When it has finished press save & post back the log it makes
  • Repeat the proces with the Autostarts tab and do the same there

Edited by JSntgRvr, 05 July 2008 - 08:09 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 Ian66

Ian66
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 06 July 2008 - 03:16 AM

here is the gmer log - it claims ot have found rootkit activity. Having the devices option checked caused it to abend each time it was run, so I unselected it for this log file. I then ran it just for devices, and copied the log file it had created, up to the point it abended

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-06 09:09:27
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xB9EBE0D0]
SSDT sptd.sys ZwEnumerateKey [0xB9EC3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xB9EC4340]
SSDT sptd.sys ZwOpenKey [0xB9EBE0B0]
SSDT sptd.sys ZwQueryKey [0xB9EC4418]
SSDT sptd.sys ZwQueryValueKey [0xB9EC4298]
SSDT sptd.sys ZwSetValueKey [0xB9EC44AA]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B920C68E 5 Bytes JMP 8A46F1C8
? System32\Drivers\abfk35cq.SYS The system cannot find the file specified. !
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Winamp Remote\bin\Orb.exe[4688] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 00402CA0 C:\Program Files\Winamp Remote\bin\Orb.exe (Orb Application/Orb Networks, Inc.)
.text C:\Program Files\Winamp Remote\bin\OrbTray.exe[5028] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 00413A70 C:\Program Files\Winamp Remote\bin\OrbTray.exe (Orb/Orb Networks)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EBEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EBEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EBEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EBF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EBF61E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9ED429A] sptd.sys
---- Processes - GMER 1.0.14 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1040] 0x62350000
Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1040] 0x60400000
Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1040] 0x7C340000
Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1040] 0x61E70000
Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1040] 0x7C3A0000

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6D 0x3D 0x4E 0xF9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x83 0xF1 0x57 0x66 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9F 0x26 0x0E 0xA5 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6D 0x3D 0x4E 0xF9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x83 0xF1 0x57 0x66 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9F 0x26 0x0E 0xA5 ...
Reg HKLM\SOFTWARE\Classes\.gm6@ gm6file
Reg HKLM\SOFTWARE\Classes\.gmk@ gmkfile
Reg HKLM\SOFTWARE\Classes\.hc2lic@ hc2lic_auto_file
Reg HKLM\SOFTWARE\Classes\.psg@ PlatformStudioGame
Reg HKLM\SOFTWARE\Classes\gm6file@ Game Maker File
Reg HKLM\SOFTWARE\Classes\gm6file\Shell
Reg HKLM\SOFTWARE\Classes\gm6file\Shell\open
Reg HKLM\SOFTWARE\Classes\gm6file\Shell\open\command
Reg HKLM\SOFTWARE\Classes\gm6file\Shell\open\command@ "C:\Program Files\Game_Maker7\Game_Maker.exe" %1
Reg HKLM\SOFTWARE\Classes\gmkfile@ Game Maker File
Reg HKLM\SOFTWARE\Classes\gmkfile\Shell
Reg HKLM\SOFTWARE\Classes\gmkfile\Shell\open
Reg HKLM\SOFTWARE\Classes\gmkfile\Shell\open\command
Reg HKLM\SOFTWARE\Classes\gmkfile\Shell\open\command@ "C:\Program Files\Game_Maker7\Game_Maker.exe" %1
Reg HKLM\SOFTWARE\Classes\hc2lic_auto_file@
Reg HKLM\SOFTWARE\Classes\hc2lic_auto_file\shell
Reg HKLM\SOFTWARE\Classes\hc2lic_auto_file\shell\open
Reg HKLM\SOFTWARE\Classes\hc2lic_auto_file\shell\open\command
Reg HKLM\SOFTWARE\Classes\hc2lic_auto_file\shell\open\command@ "C:\Program Files\HyCam2\HyCam2.exe" "%1"
Reg HKLM\SOFTWARE\Classes\PlatformStudioGame@ Platform Studio Game
Reg HKLM\SOFTWARE\Classes\PlatformStudioGame\DefaultIcon
Reg HKLM\SOFTWARE\Classes\PlatformStudioGame\DefaultIcon@ C:\Program Files\Platform Studio\ps.exe,0
Reg HKLM\SOFTWARE\Classes\PlatformStudioGame\shell
Reg HKLM\SOFTWARE\Classes\PlatformStudioGame\shell\open
Reg HKLM\SOFTWARE\Classes\PlatformStudioGame\shell\open\command
Reg HKLM\SOFTWARE\Classes\PlatformStudioGame\shell\open\command@ "C:\Program Files\Platform Studio\ps.exe" "%1"
Reg HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib@ ProtectorLib Class
Reg HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib\CLSID
Reg HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib\CLSID@ {84798B8E-69F8-4846-9516-373C2996E2F7}
Reg HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib\CurVer
Reg HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib\CurVer@ protector_dll.ProtectorLib.1
Reg HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1@ ProtectorLib Class
Reg HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1\CLSID
Reg HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1\CLSID@ {84798B8E-69F8-4846-9516-373C2996E2F7}

---- EOF - GMER 1.0.14 ----



GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-06 09:11:41
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A6191E8
Device \FileSystem\Fastfat \FatCdrom 87862488
Device \FileSystem\Udfs \UdfsCdRom 8A21F790
Device \FileSystem\Udfs \UdfsDisk 8A21F790
Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{0383427E-15A7-4A12-AAFF-0B35D0B2AE4E} 8A5C4790
Device \Driver\usbuhci \Device\USBPDO-0 8A48A1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A61B1E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A61B1E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A61B1E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A61B1E8
Device \Driver\usbuhci \Device\USBPDO-1 8A48A1E8
Device \Driver\PCI_NTPNP1614 \Device\00000053 sptd.sys
Device \Driver\usbehci \Device\USBPDO-2 8A4861E8
Device \Driver\usbuhci \Device\USBPDO-3 8A48A1E8
Device \Driver\usbuhci \Device\USBPDO-4 8A48A1E8
Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBPDO-5 8A48A1E8
Device \Driver\usbehci \Device\USBPDO-6 8A4861E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A68C1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A68C1E8
Device \Driver\Cdrom \Device\CdRom0 8A379450
Device \Driver\NetBT \Device\NetBT_Tcpip_{7F299766-FFFB-4051-BC67-1F17D60CA2DA} 8A5C4790
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A68C1E8
Device \Driver\atapi \Device\Ide\IdePort0 8A68B1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8A68B1E8
Device \Driver\atapi \Device\Ide\IdePort1 8A68B1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8A68B1E8
Device \Driver\Cdrom \Device\CdRom1 8A379450
Device \Driver\Ftdisk \Device\HarddiskVolume4 8A68C1E8
Device \Driver\Cdrom \Device\CdRom2 8A379450
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A5C4790
Device \Driver\NetBT \Device\NetBT_Tcpip_{5CEC297A-2A2B-461F-8621-E4C97475DD15} 8A5C4790




and from the autostart tab.......

GMER 1.0.14.14536 - http://www.gmer.net
Autostart scan 2008-07-06 09:14:03
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\ >>>
Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,
Windows@AppInit_DLLs = C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll,

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
avg8emc@ = C:\PROGRA~1\AVG\AVG8\avgemc.exe
avg8wd@ = C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
btwdins@ = C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
EvtEng@ = C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
Fax@ = %systemroot%\system32\fxssvc.exe
HCLInetd@ = C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
Jconfigd@ = C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
KService@ = "C:\Program Files\Kontiki\KService.exe"
MDM@ = "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
NVSvc@ = %SystemRoot%\system32\nvsvc32.exe
OracleServiceXE@ = c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE
OracleXETNSListener@ = C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
Pml Driver HPZ12@ = C:\WINDOWS\system32\HPZipm12.exe
RegSrvc@ = C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
Roxio Upnp Server 10@ = "C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe"
RoxLiveShare10@ = "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe"
RoxWatch10@ = "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe"
S24EventMonitor@ = C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
SessionLauncher@ = C:\DOCUME~1\Ian\LOCALS~1\Temp\DX9\SessionLauncher.exe /*file not found*/
sprtsvc_dellsupportcenter@ = C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter /*file not found*/
StarWindServiceAE@ = C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
WinVNC4@ = "C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service
WLANKEEPER@ = C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SynTPEnhC:\Program Files\Synaptics\SynTP\SynTPEnh.exe = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
@nwiznwiz.exe /installquiet = nwiz.exe /installquiet
@NVHotkeyrundll32.exe nvHotkey.dll,Start = rundll32.exe nvHotkey.dll,Start
@NvMediaCenterRUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
@SigmatelSysTrayAppstsystra.exe = stsystra.exe
@IntelZeroConfig"C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" = "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
@IntelWireless"C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless = "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
@KADxMainC:\WINDOWS\system32\KADxMain.exe = C:\WINDOWS\system32\KADxMain.exe
@ISUSPM StartupC:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup = C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
@ISUSScheduler"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
@PCMService"C:\Program Files\Dell\MediaDirect\PCMService.exe" = "C:\Program Files\Dell\MediaDirect\PCMService.exe"
@dscactivate"C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" = "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
@Google Desktop Search"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup = "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
@ECenterC:\Dell\E-Center\EULALauncher.exe = C:\Dell\E-Center\EULALauncher.exe
@googletalkC:\Program Files\Google\Google Talk\googletalk.exe /autostart /*file not found*/ = C:\Program Files\Google\Google Talk\googletalk.exe /autostart /*file not found*/
@SunJavaUpdateSched"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" = "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
@RoxWatchTray"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" = "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
@DMXLauncher"C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" = "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
@kdx"C:\Program Files\Kontiki\KHost.exe" -all = "C:\Program Files\Kontiki\KHost.exe" -all
@Adobe Reader Speed Launcher"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
@DellSupportCenter"C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter = "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
@QuickTime Task"C:\Program Files\QuickTime\QTTask.exe" -atboottime = "C:\Program Files\QuickTime\QTTask.exe" -atboottime
@AVG8_TRAYC:\PROGRA~1\AVG\AVG8\avgtray.exe = C:\PROGRA~1\AVG\AVG8\avgtray.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@DellSupport"C:\Program Files\DellSupport\DSAgnt.exe" /startup = "C:\Program Files\DellSupport\DSAgnt.exe" /startup
@swgC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
@Orb"C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background = "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
@DellSupportCenter"C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter = "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@kdxC:\Program Files\Kontiki\KHost.exe -all /*file not found*/ = C:\Program Files\Kontiki\KHost.exe -all /*file not found*/
@gStartC:\Garmin\gStart.exe = C:\Garmin\gStart.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll

HKLM\Software\Classes\.scr@ = "%1" %*

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{2F603045-309F-11CF-9774-0020AFD0CFF6} /*Synaptics Control Panel*/C:\Program Files\Synaptics\SynTP\SynTPCpl.dll = C:\Program Files\Synaptics\SynTP\SynTPCpl.dll
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@(null) =
@{6af09ec9-b429-11d4-a1fb-0090960218cb} /*My Bluetooth Places*/C:\WINDOWS\system32\btneighborhood.dll = C:\WINDOWS\system32\btneighborhood.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\Program Files\WinZip\wzshlstb.dll = C:\Program Files\WinZip\wzshlstb.dll
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\Program Files\WinZip\wzshlstb.dll = C:\Program Files\WinZip\wzshlstb.dll
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\Program Files\WinZip\wzshlstb.dll = C:\Program Files\WinZip\wzshlstb.dll
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\Program Files\WinZip\wzshlstb.dll = C:\Program Files\WinZip\wzshlstb.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{8f7261d0-d2b9-11d2-9909-00605205b24c} /*CuteFTP 8 Professional Shell Extension*/C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll = C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll
@{DB8DC413-C0AA-11D0-9545-080009B1C2F3} /*Hummingbird Neighborhood*/(null) =
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll
@{506F4668-F13E-4AA1-BB04-B43203AB3CC0} /*{506F4668-F13E-4AA1-BB04-B43203AB3CC0}*/C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL = C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL
@{D66DC78C-4F61-447F-942B-3FB6980118CF} /*{D66DC78C-4F61-447F-942B-3FB6980118CF}*/C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL = C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll = C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{B73A057F-DC1B-4067-9D8E-B69A07A7C368} /*Microsoft Visual SourceSafe*/C:\Program Files\Microsoft Visual SourceSafe\tdnamespaceextension.dll = C:\Program Files\Microsoft Visual SourceSafe\tdnamespaceextension.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG8 Shell Extension*/C:\Program Files\AVG\AVG8\avgse.dll = C:\Program Files\AVG\AVG8\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG8 Find Extension*/(null) =
@{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} /*OpenOffice.org Column Handler*/"C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"
@{087B3AE3-E237-4467-B8DB-5A38AB959AC9} /*OpenOffice.org Infotip Handler*/"C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"
@{63542C48-9552-494A-84F7-73AA6A7C99C1} /*OpenOffice.org Property Sheet Handler*/"C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"
@{3B092F0C-7696-40E3-A80F-68D74DA84210} /*OpenOffice.org Thumbnail Viewer*/"C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG8 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\AVG\AVG8\avgse.dll
CuteFTP 8 Professional@{8f7261d0-d2b9-11d2-9909-00605205b24c} = C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll
MagicISO@{DB85C504-C730-49DD-BEC1-7B39C6103B7A} = C:\Program Files\MagicISO\misosh.dll
RXDCExtSvr@{70D0238E-E029-4a94-B68D-182018B6C4FF} = C:\Program Files\Roxio\Virtual Drive 10\DC_ShellExt.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\Program Files\WinZip\wzshlstb.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
CuteFTP 8 Professional@{8f7261d0-d2b9-11d2-9909-00605205b24c} = C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\CuteShell.dll
MagicISO@{DB85C504-C730-49DD-BEC1-7B39C6103B7A} = C:\Program Files\MagicISO\misosh.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\Program Files\WinZip\wzshlstb.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG8 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\AVG\AVG8\avgse.dll
MagicISO@{DB85C504-C730-49DD-BEC1-7B39C6103B7A} = C:\Program Files\MagicISO\misosh.dll
MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
RXDCExtSvr@{70D0238E-E029-4a94-B68D-182018B6C4FF} = C:\Program Files\Roxio\Virtual Drive 10\DC_ShellExt.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\Program Files\WinZip\wzshlstb.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}C:\Program Files\AVG\AVG8\avgssie.dll = C:\Program Files\AVG\AVG8\avgssie.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\Program Files\Spybot - Search & Destroy\SDHelper.dll = C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll = C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
@{A057A204-BACC-4D26-9990-79A187E2698E}C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL = C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
@{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll = C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagewww.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2071115 = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2071115
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\ >>>
application/x-internet-signup@CLSID = C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
linkscanner@CLSID = C:\Program Files\AVG\AVG8\avgpp.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-help@CLSID = C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
qrev@CLSID = C:\PROGRA~1\QUESTS~1\TOADFO~1\RNetPin.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\system32\wiascr.dll

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Bluetooth.lnk = Bluetooth.lnk
Digital Line Detect.lnk = Digital Line Detect.lnk
Microsoft Office OneNote 2003 Quick Launch.lnk = Microsoft Office OneNote 2003 Quick Launch.lnk

---- EOF - GMER 1.0.14 ----

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:27 PM

Posted 06 July 2008 - 08:25 PM

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]
abfk35cq.SYS

[Exclude]

[Options]
Filter=KVDLUI



2. Download Registry Search to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please reply here with the entire contents of the Notepad file from RegSearch.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 Ian66

Ian66
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 06 July 2008 - 08:38 PM

hi

here is the log as requested. However, since your last post, I have re-booted my machine, and my AVG rootkit scan now returns a different filename, so I have also run the search for that file, log attached below

Ian

*************************************

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 07/07/2008 02:31:40 for strings:
; 'abfk35cq.sys'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...



Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 07/07/2008 02:35:52 for strings:
; 'aa9pa72g.sys'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:27 PM

Posted 06 July 2008 - 08:55 PM

Why did you include aa9pa72g.sys?

Download catchme.exe ( 25kB ) from Here to your desktop.
  • Double click the catchme.exe to run it.
  • Press Scan
  • When it finishes, if there are any files listed in the window, press zip to make a copy of any files to submit if we ask for it
  • It shall produce a log for you.
  • Open catchme.log and post its contents in a reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 Ian66

Ian66
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 06 July 2008 - 09:13 PM

Why did you include aa9pa72g.sys?


because my latest rootkit scan using AVG showed this to be a hidden file. The file I posted earlier was a hidden file prior to me rebooting my machine
I have not tried using AVG to remove this file as I am wary of what effect this might have on my machine

Here is the AVG log


Scan "Anti-Rootkit scan" was finished.
Infections found:;"0"
Infected objects removed or healed:;"0"
Not removed or healed:;"0"
Spyware found:;"0"
Spyware removed:;"0"
Not removed:;"0"
Warnings count:;"0"
Information count:;"0"
Scan started:;"06 July 2008, 09:48:54"
Scan finished:;"06 July 2008, 09:49:15 (20 second(s) )"
Total object scanned:;"1317"
User who launched the scan:;"SYSTEM"

Rootkits
File;"Infection";"Result"
C:\WINDOWS\System32\Drivers\aa9pa72g.SYS;"Hidden driver";"Object is hidden"



and the catchme log...


catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 02:59:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:6d,3d,4e,f9,81,f4,3e,de,89,35,c1,24,fd,11,8c,f1,91,57,67,b2,8a,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:6d,3d,4e,f9,81,f4,3e,de,89,35,c1,24,fd,11,8c,f1,91,57,67,b2,8a,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"ScheduledInstallDate"="2008-07-07 02:00:00"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:27 PM

Posted 07 July 2008 - 10:38 AM

Hi, Ian66 :thumbsup:

Our scanners seem not to detect these files.

Lets try to delete these throughout Catchme.

Open a new folder on your desktop. Cut and Paste Catchme.exe to this new folder, then download the enclosed folder. [attachment=6364:FixMe.zip]Save and extract its contents to the new folder created. It is a batch file, FixMe.bat. Once extracted, doubleclick on the FixMe.bat file. Both Catchme.exe and the FixMe.bat file must be contained in the same folder. The MSDOS window will flash for a second. That is normal. Catchme should produce a report. Please post its contents in your next reply.

Then,
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

File::
C:\DOCUMENTS AND SETTINGS\Ian\LOCAL SETTINGS\Temp\JETF841.tmp
C:\WINDOWS\system32\A1.tmp

Driver::
MEMSWEEP2


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..

Also scan and let me know if they still been detected.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users