Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • This topic is locked This topic is locked
8 replies to this topic

#1 Davey_MTU

Davey_MTU

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 03 July 2008 - 09:44 PM

Hello -

I have been clean for over 3 years after OldTimer helped me out, now I have gotten a Virtumonde Infection. I have run VundoFix V6.5.10, VirtumundoBeGone 1.5, CCleaner v2.08.588, ComboFix and Spybot S & D.

After several run throughs last week, everything said I was clean. But Internet Explorer kept popping up and trying to connect to the internet (which was unplugged).

Today, I updated Spybot SD and it found a Vitrumonde.prx infection and said it removed it. I'm betting I still have something, because I get error messages. One is a Windows Message Box, "Title = RUNDLL, Message = Error loading C:\WINDOWS\system32\jhmodgvw.dll The specified module could not be found." Perhaps because Spybot zapped it, but obviously something is still trying to load it. The other box that has popped up is titled "Data Execution Prevention - Microsoft Windows" and it says it has closed "Run a DLL as an App" published by Microsoft Corp.

Anyway, here is my HJT Log. I'll also stick my VirtumundoBeGone Log if it will help to know some of the history. I am running MS Windows XP SP2, Intel Core2 Quad CPU Q6600 @ 2.40GHz, 4 GB RAM, NVIDIA GeForce 8600 GT.

Any help that could save me a format/reinstall would be appreciated. I would also be interested to know how one could make an image of their C: drive for restoration at a later date if this situation was encountered in the future. Is there such a method? Or do you just recommend system recovery?

Thanks,

Dave

-------------------------------------------------------------------------
Deckard's System Scanner v20071014.68
Run by Dave on 2008-07-03 21:50:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
22: 2008-07-04 02:50:10 UTC - RP100 - Deckard's System Scanner Restore Point
21: 2008-07-03 22:50:10 UTC - RP99 - System Checkpoint
20: 2008-07-02 01:52:08 UTC - RP98 - System Checkpoint
19: 2008-06-24 11:56:31 UTC - RP97 - Software Distribution Service 3.0
18: 2008-06-23 02:52:40 UTC - RP96 - System Checkpoint


-- First Restore Point --
1: 2008-06-15 02:05:34 UTC - RP79 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Dave.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:16 PM, on 7/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20815)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Autodesk\VIZ2008\mentalray\satellite\raysat_VIZ2008_32server.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Photolightning\autodetect.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Documents and Settings\Dave\Start Menu\Programs\Startup\Mouse_all_macros-CS.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Documents and Settings\Dave\Desktop\dss.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HIJACK~1\Dave.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {57C60687-29B1-4426-A56E-7699D391E570} - (no file)
O2 - BHO: {1aef6313-45ba-d04a-2874-2a0475371c4a} - {a4c17357-40a2-4782-a40d-ab543136fea1} - C:\WINDOWS\system32\hqilthwc.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {F68ECCDB-E163-46DB-9BC2-1703BE6F2130} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BM1b39f140] Rundll32.exe "C:\WINDOWS\system32\jhmodgvw.dll",s
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: Mouse_all_macros-CS.exe
O4 - Global Startup: Autodetect.lnk = C:\Program Files\Photolightning\autodetect.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mental ray 3.5 Satellite for Autodesk VIZ 2008 (mi-raysat_VIZ2008_32) - Unknown owner - C:\Program Files\Autodesk\VIZ2008\mentalray\satellite\raysat_VIZ2008_32server.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11396 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe",2


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 axskbus - c:\windows\system32\drivers\axskbus.sys (file missing)
S3 SDdriver - c:\windows\system32\drivers\sddriver.sys <Not Verified; Symantec Corporation; Norton Speed Disk>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Autodesk Licensing Service - "c:\program files\common files\autodesk shared\service\adskscsrv.exe" <Not Verified; Autodesk; Autodesk Licensing Service>
R2 mi-raysat_VIZ2008_32 (mental ray 3.5 Satellite for Autodesk VIZ 2008) - "c:\program files\autodesk\viz2008\mentalray\satellite\raysat_viz2008_32server.exe"
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Keyboard
Device ID: ACPI\PNP0303\4&B6AFFD&0
Manufacturer: Logitech
Name: PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&B6AFFD&0
Service: i8042prt


-- Scheduled Tasks -------------------------------------------------------------

2008-07-02 00:00:00 306 --a------ C:\WINDOWS\Tasks\Symantec Drmc.job
2008-06-14 22:07:09 546 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Dave.job
2008-06-14 21:57:33 290 --a------ C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job


-- Files created between 2008-06-03 and 2008-07-03 -----------------------------

2008-06-26 22:33:07 0 dr-h----- C:\Documents and Settings\Dave\Recent
2008-06-21 00:11:32 0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-21 00:04:32 68096 --a------ C:\WINDOWS\zip.exe
2008-06-21 00:04:32 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-21 00:04:32 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-21 00:04:32 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-21 00:04:32 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-21 00:04:32 98816 --a------ C:\WINDOWS\sed.exe
2008-06-21 00:04:32 80412 --a------ C:\WINDOWS\grep.exe
2008-06-21 00:04:32 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-20 21:34:08 0 d-------- C:\VundoFix Backups
2008-06-20 21:28:59 99328 --a------ C:\WINDOWS\system32\hqilthwc.dll
2008-06-18 23:41:01 25992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe <Not Verified; Sysinternals - www.sysinternals.com; Page File Defragmenter>
2008-06-18 21:31:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-18 21:27:27 0 d-------- C:\WINDOWS\pss
2008-06-18 21:05:59 0 d-------- C:\Program Files\CCleaner
2008-06-14 22:33:07 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-14 22:14:27 0 d-------- C:\Program Files\SymNetDrv
2008-06-14 21:56:46 4608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys <Not Verified; Symantec Corporation; Symantec Core Component>
2008-06-14 21:56:27 0 d-------- C:\Program Files\Norton SystemWorks
2008-06-14 21:55:45 0 d-------- C:\Documents and Settings\Dave\Application Data\Symantec
2008-06-14 21:55:27 0 d-------- C:\Program Files\Symantec
2008-06-14 21:55:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-14 20:11:36 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-14 15:33:05 0 d-------- C:\Program Files\Lavasoft
2008-06-14 15:32:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-14 11:05:06 0 d-------- C:\Documents and Settings\Dave\Application Data\Mp3tag
2008-06-14 11:04:58 0 d-------- C:\Program Files\Mp3tag
2008-06-14 10:56:52 0 d-------- C:\Program Files\GoldWave
2008-06-13 23:26:11 65536 --a------ C:\WINDOWS\Photolightning.SCR <Not Verified; Photolightning; Photolightning>
2008-06-13 23:26:09 0 d-------- C:\Program Files\Photolightning
2008-06-13 23:12:30 0 d-------- C:\Program Files\Common Files\FotoWire
2008-06-09 21:24:55 0 d-------- C:\Program Files\AutoUnpack
2008-06-08 11:29:08 0 d-------- C:\Documents and Settings\All Users\Application Data\espionServerData


-- Find3M Report ---------------------------------------------------------------

2008-07-03 17:28:13 0 d-------- C:\Program Files\Common Files
2008-06-26 22:36:35 0 d-------- C:\Program Files\Steam
2008-06-21 00:04:05 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-14 22:27:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-14 20:26:38 0 d-------- C:\Program Files\AVG Anti-Spyware 7.5
2008-06-14 11:13:52 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-06-08 11:28:54 0 d-------- C:\Documents and Settings\Dave\Application Data\Adobe
2008-06-02 00:06:30 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-02 00:06:29 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-19 22:48:59 0 d-------- C:\Documents and Settings\Dave\Application Data\Ulead Systems
2008-05-19 18:31:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-19 18:31:33 0 d-------- C:\Program Files\SmartSound Software
2008-05-19 18:31:23 0 d-------- C:\Program Files\QuickTime
2008-05-19 18:30:47 0 d-------- C:\Program Files\Common Files\InterVideo
2008-05-19 18:29:59 0 d-------- C:\Program Files\Windows Media Components
2008-05-19 18:29:57 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-05-19 18:29:19 0 d-------- C:\Program Files\Ulead Systems
2008-05-16 17:41:25 0 d-------- C:\Program Files\QuickPar
2008-05-12 23:32:44 0 d-------- C:\Program Files\Autodesk
2008-05-12 23:32:42 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-05-08 20:58:09 0 d-------- C:\Documents and Settings\Dave\Application Data\NewsLeecher
2008-05-07 00:32:05 0 d-------- C:\Program Files\Bulk Rename Utility
2008-05-05 23:06:32 0 d-------- C:\Documents and Settings\Dave\Application Data\Skype
2008-05-05 23:05:59 0 d-------- C:\Documents and Settings\Dave\Application Data\skypePM
2008-05-05 21:07:46 0 d-------- C:\Program Files\MagicISO
2008-04-07 21:21:57 4853760 --a------ C:\Program Files\mplayerc.exe <Not Verified; Gabest; Media Player Classic>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57C60687-29B1-4426-A56E-7699D391E570}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4c17357-40a2-4782-a40d-ab543136fea1}]
06/20/2008 09:28 PM 99328 --a------ C:\WINDOWS\system32\hqilthwc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F68ECCDB-E163-46DB-9BC2-1703BE6F2130}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [09/06/2007 12:19 PM]
"CPU Power Monitor"="C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe" [09/06/2007 08:57 PM]
"Cpu Level Up help"="C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [09/11/2007 11:32 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 02:41 AM]
"nwiz"="nwiz.exe" [12/05/2007 02:41 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 02:41 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [12/18/2006 08:34 AM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [11/29/2007 03:17 AM C:\WINDOWS\KHALMNPR.Exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [03/01/2007 04:57 PM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [09/20/2007 10:51 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [03/03/2007 02:12 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/17/2008 11:42 AM]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [06/14/2008 10:14 PM]
"BM1b39f140"="C:\WINDOWS\system32\jhmodgvw.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [09/20/2007 04:35 PM]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" [09/09/2004 09:12 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/07/2007 04:43 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32

C:\Documents and Settings\Dave\Start Menu\Programs\Startup\
Mouse_all_macros-CS.exe [3/1/2008 10:56:18 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Autodetect.lnk - C:\Program Files\Photolightning\autodetect.exe [6/13/2008 11:26:12 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2/20/2008 9:15:22 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 01/09/2008 01:30 PM 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program files\steam\steam.exe" -silent


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b7ac6e2-d51c-11dc-91d4-001e8c25f028}]
AutoRun\command- H:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-07-03 21:52:48 ------------



***************************************************************************

***************************************************************************

***************************************************************************


[06/20/2008, 23:59:16] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Dave\Desktop\vundoremoval\VirtumundoBeGone.exe" )
[06/20/2008, 23:59:23] - Detected System Information:
[06/20/2008, 23:59:23] - Windows Version: 5.1.2600, Service Pack 2
[06/20/2008, 23:59:23] - Current Username: Dave (Admin)
[06/20/2008, 23:59:23] - Windows is in NORMAL mode.
[06/20/2008, 23:59:23] - Searching for Browser Helper Objects:
[06/20/2008, 23:59:23] - BHO 1: {57C60687-29B1-4426-A56E-7699D391E570} ()
[06/20/2008, 23:59:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/20/2008, 23:59:23] - Checking for HKLM\...\Winlogon\Notify\byXRkJyw
[06/20/2008, 23:59:23] - Key not found: HKLM\...\Winlogon\Notify\byXRkJyw, continuing.
[06/20/2008, 23:59:23] - BHO 2: {a4c17357-40a2-4782-a40d-ab543136fea1} ()
[06/20/2008, 23:59:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/20/2008, 23:59:23] - Checking for HKLM\...\Winlogon\Notify\hqilthwc
[06/20/2008, 23:59:23] - Key not found: HKLM\...\Winlogon\Notify\hqilthwc, continuing.
[06/20/2008, 23:59:23] - BHO 3: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[06/20/2008, 23:59:23] - BHO 4: {C7B4574D-4482-49AF-9373-3D2EC0CF1656} ()
[06/20/2008, 23:59:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/20/2008, 23:59:23] - Checking for HKLM\...\Winlogon\Notify\awtqrpmm
[06/20/2008, 23:59:23] - Found: HKLM\...\Winlogon\Notify\awtqrpmm - This is probably Virtumundo.
[06/20/2008, 23:59:23] - Assigning {C7B4574D-4482-49AF-9373-3D2EC0CF1656} MSEvents Object
[06/20/2008, 23:59:23] - BHO list has been changed! Starting over...
[06/20/2008, 23:59:23] - BHO 1: {57C60687-29B1-4426-A56E-7699D391E570} ()
[06/20/2008, 23:59:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/20/2008, 23:59:23] - Checking for HKLM\...\Winlogon\Notify\byXRkJyw
[06/20/2008, 23:59:23] - Key not found: HKLM\...\Winlogon\Notify\byXRkJyw, continuing.
[06/20/2008, 23:59:23] - BHO 2: {a4c17357-40a2-4782-a40d-ab543136fea1} ()
[06/20/2008, 23:59:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/20/2008, 23:59:23] - Checking for HKLM\...\Winlogon\Notify\hqilthwc
[06/20/2008, 23:59:23] - Key not found: HKLM\...\Winlogon\Notify\hqilthwc, continuing.
[06/20/2008, 23:59:23] - BHO 3: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[06/20/2008, 23:59:23] - BHO 4: {C7B4574D-4482-49AF-9373-3D2EC0CF1656} (MSEvents Object)
[06/20/2008, 23:59:23] - ALERT: Found MSEvents Object!
[06/20/2008, 23:59:23] - BHO 5: {E33EFE71-2FDD-47BC-9B99-ADAAB1E9F293} ()
[06/20/2008, 23:59:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/20/2008, 23:59:23] - No filename found. Continuing.
[06/20/2008, 23:59:23] - BHO 6: {F68ECCDB-E163-46DB-9BC2-1703BE6F2130} ()
[06/20/2008, 23:59:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/20/2008, 23:59:23] - Checking for HKLM\...\Winlogon\Notify\geBqRlJA
[06/20/2008, 23:59:23] - Key not found: HKLM\...\Winlogon\Notify\geBqRlJA, continuing.
[06/20/2008, 23:59:23] - Finished Searching Browser Helper Objects
[06/20/2008, 23:59:23] - *** Detected MSEvents Object
[06/20/2008, 23:59:23] - Trying to remove MSEvents Object...
[06/20/2008, 23:59:24] - Terminating Process: IEXPLORE.EXE
[06/20/2008, 23:59:24] - Terminating Process: RUNDLL32.EXE
[06/20/2008, 23:59:25] - Disabling Automatic Shell Restart
[06/20/2008, 23:59:25] - Terminating Process: EXPLORER.EXE
[06/20/2008, 23:59:25] - Suspending the NT Session Manager System Service
[06/20/2008, 23:59:25] - Terminating Windows NT Logon/Logoff Manager
[06/20/2008, 23:59:25] - Re-enabling Automatic Shell Restart
[06/20/2008, 23:59:25] - File to disable: C:\WINDOWS\system32\awtqrpmm.dll
[06/20/2008, 23:59:25] - Renaming C:\WINDOWS\system32\awtqrpmm.dll -> C:\WINDOWS\system32\awtqrpmm.dll.vir
[06/20/2008, 23:59:25] - File successfully renamed!
[06/20/2008, 23:59:25] - Removing HKLM\...\Browser Helper Objects\{C7B4574D-4482-49AF-9373-3D2EC0CF1656}
[06/20/2008, 23:59:25] - Removing HKCR\CLSID\{C7B4574D-4482-49AF-9373-3D2EC0CF1656}
[06/20/2008, 23:59:25] - Adding Kill Bit for ActiveX for GUID: {C7B4574D-4482-49AF-9373-3D2EC0CF1656}
[06/20/2008, 23:59:25] - Deleting ATLEvents/MSEvents Registry entries
[06/20/2008, 23:59:25] - Removing HKLM\...\Winlogon\Notify\awtqrpmm
[06/20/2008, 23:59:25] - Searching for Browser Helper Objects:
[06/20/2008, 23:59:25] - BHO 1: {57C60687-29B1-4426-A56E-7699D391E570} ()
[06/20/2008, 23:59:25] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/20/2008, 23:59:25] - Checking for HKLM\...\Winlogon\Notify\byXRkJyw
[06/20/2008, 23:59:25] - Key not found: HKLM\...\Winlogon\Notify\byXRkJyw, continuing.
[06/20/2008, 23:59:25] - BHO 2: {a4c17357-40a2-4782-a40d-ab543136fea1} ()
[06/20/2008, 23:59:25] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/20/2008, 23:59:25] - Checking for HKLM\...\Winlogon\Notify\hqilthwc
[06/20/2008, 23:59:25] - Key not found: HKLM\...\Winlogon\Notify\hqilthwc, continuing.
[06/20/2008, 23:59:25] - BHO 3: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[06/20/2008, 23:59:25] - BHO 4: {E33EFE71-2FDD-47BC-9B99-ADAAB1E9F293} ()
[06/20/2008, 23:59:25] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/20/2008, 23:59:25] - No filename found. Continuing.
[06/20/2008, 23:59:25] - BHO 5: {F68ECCDB-E163-46DB-9BC2-1703BE6F2130} ()
[06/20/2008, 23:59:25] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/20/2008, 23:59:25] - Checking for HKLM\...\Winlogon\Notify\geBqRlJA
[06/20/2008, 23:59:25] - Key not found: HKLM\...\Winlogon\Notify\geBqRlJA, continuing.
[06/20/2008, 23:59:25] - Finished Searching Browser Helper Objects
[06/20/2008, 23:59:25] - Finishing up...
[06/20/2008, 23:59:25] - A restart is needed.
[06/20/2008, 23:59:42] - Attempting to Restart via STOP error (Blue Screen!)

[06/21/2008, 0:03:00] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Dave\Desktop\vundoremoval\VirtumundoBeGone.exe" )
[06/21/2008, 0:03:02] - Detected System Information:
[06/21/2008, 0:03:02] - Windows Version: 5.1.2600, Service Pack 2
[06/21/2008, 0:03:02] - Current Username: Dave (Admin)
[06/21/2008, 0:03:02] - Windows is in NORMAL mode.
[06/21/2008, 0:03:02] - Searching for Browser Helper Objects:
[06/21/2008, 0:03:02] - BHO 1: {57C60687-29B1-4426-A56E-7699D391E570} ()
[06/21/2008, 0:03:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/21/2008, 0:03:02] - Checking for HKLM\...\Winlogon\Notify\byXRkJyw
[06/21/2008, 0:03:02] - Key not found: HKLM\...\Winlogon\Notify\byXRkJyw, continuing.
[06/21/2008, 0:03:02] - BHO 2: {a4c17357-40a2-4782-a40d-ab543136fea1} ()
[06/21/2008, 0:03:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/21/2008, 0:03:02] - Checking for HKLM\...\Winlogon\Notify\hqilthwc
[06/21/2008, 0:03:02] - Key not found: HKLM\...\Winlogon\Notify\hqilthwc, continuing.
[06/21/2008, 0:03:02] - BHO 3: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[06/21/2008, 0:03:02] - BHO 4: {E33EFE71-2FDD-47BC-9B99-ADAAB1E9F293} ()
[06/21/2008, 0:03:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/21/2008, 0:03:02] - No filename found. Continuing.
[06/21/2008, 0:03:02] - BHO 5: {F68ECCDB-E163-46DB-9BC2-1703BE6F2130} ()
[06/21/2008, 0:03:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/21/2008, 0:03:02] - Checking for HKLM\...\Winlogon\Notify\geBqRlJA
[06/21/2008, 0:03:02] - Key not found: HKLM\...\Winlogon\Notify\geBqRlJA, continuing.
[06/21/2008, 0:03:02] - Finished Searching Browser Helper Objects
[06/21/2008, 0:03:02] - Finishing up...
[06/21/2008, 0:03:02] - Nothing found! Exiting...

[06/21/2008, 0:03:55] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Dave\Desktop\vundoremoval\VirtumundoBeGone.exe" )
[06/21/2008, 0:03:56] - Detected System Information:
[06/21/2008, 0:03:56] - Windows Version: 5.1.2600, Service Pack 2
[06/21/2008, 0:03:56] - Current Username: Dave (Admin)
[06/21/2008, 0:03:56] - Windows is in NORMAL mode.
[06/21/2008, 0:03:56] - Searching for Browser Helper Objects:
[06/21/2008, 0:03:56] - BHO 1: {57C60687-29B1-4426-A56E-7699D391E570} ()
[06/21/2008, 0:03:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/21/2008, 0:03:56] - Checking for HKLM\...\Winlogon\Notify\byXRkJyw
[06/21/2008, 0:03:56] - Key not found: HKLM\...\Winlogon\Notify\byXRkJyw, continuing.
[06/21/2008, 0:03:56] - BHO 2: {a4c17357-40a2-4782-a40d-ab543136fea1} ()
[06/21/2008, 0:03:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/21/2008, 0:03:56] - Checking for HKLM\...\Winlogon\Notify\hqilthwc
[06/21/2008, 0:03:56] - Key not found: HKLM\...\Winlogon\Notify\hqilthwc, continuing.
[06/21/2008, 0:03:56] - BHO 3: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[06/21/2008, 0:03:56] - BHO 4: {E33EFE71-2FDD-47BC-9B99-ADAAB1E9F293} ()
[06/21/2008, 0:03:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/21/2008, 0:03:56] - No filename found. Continuing.
[06/21/2008, 0:03:56] - BHO 5: {F68ECCDB-E163-46DB-9BC2-1703BE6F2130} ()
[06/21/2008, 0:03:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/21/2008, 0:03:56] - Checking for HKLM\...\Winlogon\Notify\geBqRlJA
[06/21/2008, 0:03:56] - Key not found: HKLM\...\Winlogon\Notify\geBqRlJA, continuing.
[06/21/2008, 0:03:56] - Finished Searching Browser Helper Objects
[06/21/2008, 0:03:56] - Finishing up...
[06/21/2008, 0:03:56] - Nothing found! Exiting...

[06/26/2008, 22:29:51] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Dave\Desktop\vundoremoval\VirtumundoBeGone.exe" )
[06/26/2008, 22:30:17] - Detected System Information:
[06/26/2008, 22:30:17] - Windows Version: 5.1.2600, Service Pack 2
[06/26/2008, 22:30:17] - Current Username: Dave (Admin)
[06/26/2008, 22:30:17] - Windows is in NORMAL mode.
[06/26/2008, 22:30:17] - Searching for Browser Helper Objects:
[06/26/2008, 22:30:17] - BHO 1: {57C60687-29B1-4426-A56E-7699D391E570} ()
[06/26/2008, 22:30:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2008, 22:30:17] - Checking for HKLM\...\Winlogon\Notify\byXRkJyw
[06/26/2008, 22:30:17] - Key not found: HKLM\...\Winlogon\Notify\byXRkJyw, continuing.
[06/26/2008, 22:30:17] - BHO 2: {a4c17357-40a2-4782-a40d-ab543136fea1} ()
[06/26/2008, 22:30:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2008, 22:30:17] - Checking for HKLM\...\Winlogon\Notify\hqilthwc
[06/26/2008, 22:30:17] - Key not found: HKLM\...\Winlogon\Notify\hqilthwc, continuing.
[06/26/2008, 22:30:17] - BHO 3: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[06/26/2008, 22:30:17] - BHO 4: {F68ECCDB-E163-46DB-9BC2-1703BE6F2130} ()
[06/26/2008, 22:30:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2008, 22:30:17] - Checking for HKLM\...\Winlogon\Notify\geBqRlJA
[06/26/2008, 22:30:17] - Key not found: HKLM\...\Winlogon\Notify\geBqRlJA, continuing.
[06/26/2008, 22:30:17] - Finished Searching Browser Helper Objects
[06/26/2008, 22:30:17] - Finishing up...
[06/26/2008, 22:30:17] - Nothing found! Exiting...

[07/03/2008, 20:55:44] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Dave\Desktop\vundoremoval\VirtumundoBeGone.exe" )
[07/03/2008, 20:55:45] - Detected System Information:
[07/03/2008, 20:55:45] - Windows Version: 5.1.2600, Service Pack 2
[07/03/2008, 20:55:45] - Current Username: Dave (Admin)
[07/03/2008, 20:55:45] - Windows is in NORMAL mode.
[07/03/2008, 20:55:45] - Searching for Browser Helper Objects:
[07/03/2008, 20:55:45] - BHO 1: {57C60687-29B1-4426-A56E-7699D391E570} ()
[07/03/2008, 20:55:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/03/2008, 20:55:45] - No filename found. Continuing.
[07/03/2008, 20:55:45] - BHO 2: {a4c17357-40a2-4782-a40d-ab543136fea1} ()
[07/03/2008, 20:55:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/03/2008, 20:55:45] - Checking for HKLM\...\Winlogon\Notify\hqilthwc
[07/03/2008, 20:55:45] - Key not found: HKLM\...\Winlogon\Notify\hqilthwc, continuing.
[07/03/2008, 20:55:45] - BHO 3: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[07/03/2008, 20:55:45] - BHO 4: {F68ECCDB-E163-46DB-9BC2-1703BE6F2130} ()
[07/03/2008, 20:55:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/03/2008, 20:55:45] - No filename found. Continuing.
[07/03/2008, 20:55:45] - Finished Searching Browser Helper Objects
[07/03/2008, 20:55:45] - Finishing up...
[07/03/2008, 20:55:45] - Nothing found! Exiting...

*EDIT -REPLACED HJT LOG WITH DECKARDS SYSTEM SCANNER HJT LOG.

**EDIT - DIDN'T SEE "EXTRA.TXT" THE FIRST EDIT. ATTACHED IT PER INSTRUCTION IN LOG FILE.

Attached Files


Edited by Davey_MTU, 03 July 2008 - 10:05 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:46 AM

Posted 04 July 2008 - 07:51 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Davey_MTU

Davey_MTU
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 04 July 2008 - 11:58 PM

ComboFix 08-07-04.2 - Dave 2008-07-04 23:51:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2718 [GMT -5:00]
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\hqilthwc.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

2008-07-03 21:50 . 2008-07-03 21:50 <DIR> d-------- C:\Deckard
2008-06-21 00:11 . 2008-06-24 06:56 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-06-21 00:09 . 2008-06-21 00:09 0 --a------ C:\WINDOWS\BM1b39f140.xml
2008-06-20 21:34 . 2008-06-20 21:34 <DIR> d-------- C:\VundoFix Backups
2008-06-18 23:41 . 2008-06-18 23:41 25,992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe
2008-06-18 22:34 . 2008-07-03 16:31 501 --a------ C:\WINDOWS\wininit.ini
2008-06-18 21:31 . 2008-06-18 21:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-18 21:31 . 2008-06-18 21:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-18 21:05 . 2008-06-18 21:05 <DIR> d-------- C:\Program Files\CCleaner
2008-06-14 22:33 . 2008-06-14 22:33 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-14 22:14 . 2008-06-14 22:14 <DIR> d-------- C:\Program Files\SymNetDrv
2008-06-14 21:56 . 2008-06-14 22:17 <DIR> d-------- C:\Program Files\Norton SystemWorks
2008-06-14 21:56 . 2006-09-15 22:52 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-14 21:56 . 2006-09-15 22:52 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-14 21:56 . 2008-06-14 21:56 4,608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-06-14 21:55 . 2008-06-14 22:14 <DIR> d-------- C:\Program Files\Symantec
2008-06-14 21:55 . 2008-06-14 22:05 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Symantec
2008-06-14 21:55 . 2008-06-14 22:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-14 21:36 . 2008-06-14 21:36 303 --a------ C:\WINDOWS\ST6UNST.001
2008-06-14 21:07 . 2008-06-14 21:36 4,236 --a------ C:\WINDOWS\SETUP.LST
2008-06-14 21:07 . 2008-06-14 21:07 691 --a------ C:\WINDOWS\ST6UNST.000
2008-06-14 20:58 . 2008-06-14 20:58 25,088 --a------ C:\WINDOWS\system32\awtqrpmm.dll.vir
2008-06-14 20:42 . 2008-04-22 22:35 6,068,224 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-14 20:42 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-14 20:42 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-14 20:42 . 2008-04-22 22:35 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-14 20:42 . 2008-04-22 22:35 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-14 20:42 . 2008-04-22 22:35 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-14 20:42 . 2008-04-22 22:35 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-14 20:42 . 2008-04-22 22:35 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-14 20:42 . 2008-04-22 03:02 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-14 20:40 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-14 20:40 . 2008-06-13 08:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-14 15:33 . 2008-06-14 15:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-14 15:32 . 2008-06-14 15:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-14 11:05 . 2008-06-14 11:22 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Mp3tag
2008-06-14 11:04 . 2008-06-14 11:05 <DIR> d-------- C:\Program Files\Mp3tag
2008-06-14 10:56 . 2008-06-14 10:56 <DIR> d-------- C:\Program Files\GoldWave
2008-06-13 23:26 . 2008-06-13 23:29 <DIR> d-------- C:\Program Files\Photolightning
2008-06-13 23:26 . 2006-02-06 20:41 65,536 --a------ C:\WINDOWS\Photolightning.SCR
2008-06-13 23:12 . 2008-06-13 23:24 <DIR> d-------- C:\Program Files\Common Files\FotoWire
2008-06-09 21:24 . 2008-06-09 21:26 <DIR> d-------- C:\Program Files\AutoUnpack
2008-06-08 11:29 . 2008-06-08 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\espionServerData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 04:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-04 05:25 --------- d-----w C:\Program Files\Steam
2008-06-22 02:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-21 05:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-15 03:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-15 01:26 --------- d-----w C:\Program Files\AVG Anti-Spyware 7.5
2008-06-14 16:13 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-06-02 05:06 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-06-02 05:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-02 05:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-20 03:48 --------- d-----w C:\Documents and Settings\Dave\Application Data\Ulead Systems
2008-05-19 23:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-05-19 23:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-19 23:31 --------- d-----w C:\Program Files\SmartSound Software
2008-05-19 23:31 --------- d-----w C:\Program Files\QuickTime
2008-05-19 23:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-05-19 23:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-19 23:30 --------- d-----w C:\Program Files\Common Files\InterVideo
2008-05-19 23:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\InterVideo
2008-05-19 23:29 --------- d-----w C:\Program Files\Windows Media Components
2008-05-19 23:29 --------- d-----w C:\Program Files\Ulead Systems
2008-05-19 23:29 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-05-16 22:41 --------- d-----w C:\Program Files\QuickPar
2008-05-13 04:32 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-05-13 04:32 --------- d-----w C:\Program Files\Autodesk
2008-05-13 04:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-05-09 01:58 --------- d-----w C:\Documents and Settings\Dave\Application Data\NewsLeecher
2008-05-08 12:14 203,008 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:32 --------- d-----w C:\Program Files\Bulk Rename Utility
2008-05-07 05:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Tarma Installer
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-06 04:06 --------- d-----w C:\Documents and Settings\Dave\Application Data\Skype
2008-05-06 04:05 --------- d-----w C:\Documents and Settings\Dave\Application Data\skypePM
2008-05-06 02:07 --------- d-----w C:\Program Files\MagicISO
2008-04-23 03:35 827,392 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-22 22:36 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-08 02:21 4,853,760 ----a-w C:\Program Files\mplayerc.exe
2008-02-12 00:35 22,328 ----a-w C:\Documents and Settings\Dave\Application Data\PnkBstrK.sys
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
2008-01-28 06:51 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2008-01-28 06:51 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-01-28 06:51 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008012820080129\index.dat
2008-01-28 06:51 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-21_ 0.11.11.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-21 05:08:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-05 04:27:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2005-10-12 23:12:26 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2005-10-12 23:12:33 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-10-07 13:54:33 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
+ 2007-10-07 13:54:03 124,928 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll
+ 2007-10-07 13:54:04 346,624 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll
+ 2007-10-07 13:54:04 214,528 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll
+ 2007-10-07 13:54:04 132,608 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll
+ 2007-10-07 13:54:05 61,952 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\icardie.dll
+ 2007-10-07 13:54:05 56,832 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe
+ 2007-10-07 13:54:05 153,088 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll
+ 2007-10-07 13:54:06 230,400 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll
+ 2007-10-07 13:54:06 161,792 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll
+ 2007-10-07 13:54:08 383,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dll
+ 2007-10-07 13:54:08 384,512 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll
+ 2007-10-07 13:54:14 6,059,008 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieframe.dll
+ 2007-10-07 13:54:14 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll
+ 2007-10-07 13:54:14 267,776 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iertutil.dll
+ 2007-10-07 13:54:15 13,824 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe
+ 2007-10-07 13:54:15 625,152 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
+ 2007-10-07 13:54:20 27,648 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll
+ 2007-10-07 13:54:21 459,264 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeeds.dll
+ 2007-04-25 18:08:34 52,224 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeedsbs.dll
+ 2007-10-07 13:54:25 3,584,000 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll
+ 2007-10-07 13:54:26 477,696 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll
+ 2007-10-07 13:54:27 193,024 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll
+ 2007-10-07 13:54:27 670,720 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll
+ 2007-10-07 13:54:30 102,400 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll
+ 2007-10-07 13:54:30 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\updspapi.dll
+ 2007-10-07 13:54:32 105,984 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll
+ 2007-10-07 13:54:32 1,153,536 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll
+ 2007-10-07 13:54:34 232,960 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll
+ 2007-10-07 13:54:34 823,808 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
- 2007-10-07 13:35:05 315,904 ----a-w C:\WINDOWS\inf\unregmp2.exe
+ 2007-06-27 03:10:26 317,440 ----a-w C:\WINDOWS\inf\unregmp2.exe
+ 2006-10-27 20:16:36 133,936 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\CONTAB32.DLL
+ 2006-10-27 01:55:32 87,344 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\DLGSETP.DLL
+ 2006-10-27 20:07:36 17,891,112 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\EXCEL.EXE
+ 2006-10-27 01:55:48 340,248 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MIMEDIR.DLL
+ 2006-10-27 20:04:08 497,504 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MORPH9.DLL
+ 2006-10-27 20:04:10 9,581,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSPUB.EXE
+ 2006-10-27 20:16:46 2,939,704 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OLMAPI32.DLL
+ 2006-10-27 01:34:12 660,792 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OMSMAIN.DLL
+ 2006-10-27 01:34:10 192,848 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OMSXP32.DLL
+ 2006-09-15 21:25:18 3,611,416 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLFLTR.DAT
+ 2006-10-27 20:16:44 594,256 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLMIME.DLL
+ 2006-10-27 20:16:48 12,813,096 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLOOK.EXE
+ 2006-10-27 20:16:40 176,976 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLPH.DLL
+ 2006-10-27 01:09:36 136,008 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\PRTF9.DLL
+ 2006-10-27 01:55:54 413,472 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\PSTPRX32.DLL
+ 2006-10-27 20:04:06 624,456 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\PTXT9.DLL
+ 2006-10-27 01:09:44 590,144 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\PUBCONV.DLL
+ 2006-10-27 01:55:44 263,520 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\SCNPST32.DLL
+ 2006-10-27 01:55:44 272,744 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\SCNPST64.DLL
+ 2006-10-27 20:23:04 347,432 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\WINWORD.EXE
+ 2006-10-27 20:11:38 4,235,560 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\WRD12CNV.DLL
+ 2006-10-27 20:11:36 21,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\WRD12EXE.EXE
+ 2006-10-27 20:23:08 17,483,560 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\WWLIB.DLL
+ 2006-10-27 02:13:08 14,674,216 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\XL12CNV.EXE
+ 2006-10-27 02:17:08 11,072 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\XLCALL32.DLL
- 2008-04-27 23:57:22 1,165,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-06-22 02:38:41 1,165,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-04-27 23:57:22 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-06-22 02:38:41 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-04-27 23:57:22 159,504 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-06-22 02:38:41 159,504 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-04-27 23:57:22 184,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-06-22 02:38:41 184,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-04-27 23:57:22 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-06-22 02:38:41 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-04-27 23:57:22 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-06-22 02:38:41 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-04-27 23:57:22 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-06-22 02:38:41 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-04-27 23:57:22 845,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-06-22 02:38:41 845,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-04-27 23:57:22 922,384 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-06-22 02:38:41 922,384 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-04-27 23:57:22 272,648 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-06-22 02:38:41 272,648 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-04-27 23:57:22 888,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-06-22 02:38:41 888,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-04-27 23:57:22 1,172,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-06-22 02:38:41 1,172,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2001-07-14 22:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
- 2007-10-07 13:54:03 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-04-23 03:35:35 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-10-07 13:54:03 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-04-23 03:35:35 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2004-08-04 12:00:00 561,179 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll
+ 2008-03-25 04:50:25 554,008 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll
- 2007-10-07 13:32:20 147,456 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:19:35 147,968 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2004-08-04 12:00:00 45,568 -c--a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
+ 2008-02-20 18:49:36 45,568 -c--a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
- 2007-10-07 13:54:04 346,624 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-04-23 03:35:35 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-10-07 13:54:04 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-04-23 03:35:35 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-10-07 13:54:04 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-04-23 03:35:35 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-10-07 13:43:12 282,112 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
+ 2008-02-20 06:52:43 282,624 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
- 2007-10-07 13:54:05 56,832 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-04-22 08:02:19 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-10-07 13:54:05 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-04-23 03:35:35 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-10-07 13:54:06 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-04-23 03:35:35 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-10-07 13:54:06 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-04-20 05:07:38 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-10-07 13:54:08 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-04-23 03:35:35 388,608 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-10-07 13:54:14 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-04-23 03:35:36 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-10-07 13:54:15 625,152 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-04-22 08:02:46 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-10-07 13:32:31 683,520 -c--a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
+ 2007-08-21 06:25:02 683,520 -c--a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
- 2007-10-07 13:54:20 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-04-23 03:35:36 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-10-07 13:43:14 726,528 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
+ 2007-11-07 09:50:47 727,040 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
- 2004-08-04 12:00:00 72,960 -c--a-w C:\WINDOWS\system32\dllcache\mqac.sys
+ 2007-07-06 10:05:47 72,960 -c--a-w C:\WINDOWS\system32\dllcache\mqac.sys
- 2004-08-04 12:00:00 138,240 -c--a-w C:\WINDOWS\system32\dllcache\mqad.dll
+ 2007-07-06 12:46:59 138,240 -c--a-w C:\WINDOWS\system32\dllcache\mqad.dll
- 2004-08-04 12:00:00 47,104 -c--a-w C:\WINDOWS\system32\dllcache\mqdscli.dll
+ 2007-07-06 12:46:59 47,104 -c--a-w C:\WINDOWS\system32\dllcache\mqdscli.dll
- 2004-08-04 12:00:00 16,896 -c--a-w C:\WINDOWS\system32\dllcache\mqise.dll
+ 2007-07-06 12:46:59 16,896 -c--a-w C:\WINDOWS\system32\dllcache\mqise.dll
- 2004-08-04 12:00:00 660,992 -c--a-w C:\WINDOWS\system32\dllcache\mqqm.dll
+ 2007-07-06 12:46:59 660,992 -c--a-w C:\WINDOWS\system32\dllcache\mqqm.dll
- 2004-08-04 12:00:00 177,152 -c--a-w C:\WINDOWS\system32\dllcache\mqrt.dll
+ 2007-07-06 12:46:59 177,152 -c--a-w C:\WINDOWS\system32\dllcache\mqrt.dll
- 2004-08-04 12:00:00 95,744 -c--a-w C:\WINDOWS\system32\dllcache\mqsec.dll
+ 2007-07-06 12:46:59 95,744 -c--a-w C:\WINDOWS\system32\dllcache\mqsec.dll
- 2004-08-04 12:00:00 48,640 -c--a-w C:\WINDOWS\system32\dllcache\mqupgrd.dll
+ 2007-07-06 12:46:59 48,640 -c--a-w C:\WINDOWS\system32\dllcache\mqupgrd.dll
- 2004-08-04 12:00:00 471,552 -c--a-w C:\WINDOWS\system32\dllcache\mqutil.dll
+ 2007-07-06 12:46:59 471,552 -c--a-w C:\WINDOWS\system32\dllcache\mqutil.dll
- 2004-08-04 12:00:00 181,248 -c--a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
+ 2007-12-18 09:51:35 179,584 -c--a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
- 2007-10-07 13:43:14 297,984 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll
+ 2008-02-26 11:48:44 297,984 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll
- 2004-08-04 12:00:00 512,029 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll
+ 2008-03-25 04:50:28 518,944 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll
- 2004-08-04 12:00:00 319,517 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
- 2007-10-07 13:54:25 3,584,000 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-04-23 03:35:36 3,593,728 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-10-07 13:54:26 477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-04-23 03:35:36 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2004-08-04 12:00:00 1,507,356 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
- 2004-08-04 12:00:00 358,976 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
+ 2008-03-25 04:50:40 355,112 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
- 2004-08-04 12:00:00 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
+ 2008-03-26 08:09:15 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
- 2004-08-04 12:00:00 53,279 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
+ 2008-03-25 04:50:42 60,192 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
- 2004-08-04 12:00:00 241,693 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
- 2004-08-04 12:00:00 213,023 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll
+ 2008-03-25 15:20:46 219,936 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll
- 2004-08-04 12:00:00 348,189 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
- 2007-10-07 13:54:27 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-04-23 03:35:36 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2004-08-04 12:00:00 421,919 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
- 2004-08-04 12:00:00 315,423 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
- 2004-08-04 12:00:00 552,989 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
- 2004-08-04 12:00:00 258,077 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll
+ 2008-03-25 04:50:55 264,992 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll
- 2007-10-07 13:54:27 670,720 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-04-23 03:35:36 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-10-07 13:33:16 838,360 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
- 2007-10-07 13:33:16 621,272 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
- 2004-08-04 12:00:00 348,189 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
- 2007-10-07 13:54:30 102,400 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-04-23 03:35:36 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
- 2007-10-07 13:43:30 549,888 -c--a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
+ 2007-12-04 18:29:10 551,936 -c--a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
- 2007-10-07 13:54:30 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-04-23 03:35:36 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-10-07 13:33:33 1,287,680 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2008-05-07 04:55:40 1,288,192 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
- 2007-10-07 13:33:37 202,496 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2008-05-08 12:14:51 203,008 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
- 2007-10-07 13:33:37 582,656 -c--a-w C:\WINDOWS\system32\dllcache\rpcrt4.dll
+ 2007-07-09 13:16:16 582,656 -c--a-w C:\WINDOWS\system32\dllcache\rpcrt4.dll
- 2007-10-07 13:43:42 8,459,264 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
- 2007-10-07 13:33:57 360,704 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2007-10-30 16:53:32 360,832 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2007-10-07 13:35:05 315,904 -c--a-w C:\WINDOWS\system32\dllcache\unregmp2.exe
+ 2007-06-27 03:10:26 317,440 -c--a-w C:\WINDOWS\system32\dllcache\unregmp2.exe
- 2007-10-07 13:54:32 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-04-23 03:35:36 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2007-10-07 13:54:32 1,153,536 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-04-23 03:35:36 1,162,752 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-10-07 13:54:33 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2007-07-12 23:31:54 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2007-10-07 13:54:34 232,960 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-04-23 03:35:36 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-10-07 13:43:46 1,843,968 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2008-03-19 09:40:27 1,845,888 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
- 2007-10-07 13:54:34 823,808 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-04-23 03:35:36 827,392 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2007-10-07 13:35:07 222,208 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2007-10-27 22:40:30 222,720 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2007-10-07 13:35:21 10,834,432 -c--a-w C:\WINDOWS\system32\dllcache\wmp.dll
+ 2007-06-12 04:51:12 10,834,944 -c--a-w C:\WINDOWS\system32\dllcache\wmp.dll
- 2007-10-07 13:32:20 147,456 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-02-20 05:19:35 147,968 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2004-08-04 12:00:00 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
+ 2008-02-20 18:49:36 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
- 2004-08-04 12:00:00 72,960 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
+ 2007-07-06 10:05:47 72,960 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
- 2004-08-04 12:00:00 181,248 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
+ 2007-12-18 09:51:35 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
- 2007-10-07 13:33:40 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
+ 2007-11-13 10:25:53 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
- 2007-10-07 13:33:57 360,704 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2007-10-30 16:53:32 360,832 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
- 2007-10-07 13:54:04 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-04-23 03:35:35 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-10-07 13:54:04 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-04-23 03:35:35 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-10-07 13:54:04 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-04-23 03:35:35 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-06-03 02:00:40 292,480 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-06-21 22:56:11 292,480 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-10-07 13:43:12 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll
+ 2008-02-20 06:52:43 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
- 2007-10-07 13:54:05 61,952 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-04-23 03:35:35 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-10-07 13:54:05 56,832 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-04-22 08:02:19 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-10-07 13:54:05 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-04-23 03:35:35 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-10-07 13:54:06 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-04-23 03:35:35 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-10-07 13:54:06 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-04-20 05:07:38 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-10-07 13:54:08 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-04-23 03:35:35 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-10-07 13:54:08 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-04-23 03:35:35 388,608 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-10-07 13:54:14 6,059,008 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-04-23 03:35:36 6,068,224 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-10-07 13:54:14 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-04-23 03:35:36 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-10-07 13:54:14 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-04-23 03:35:36 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-10-07 13:54:15 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-04-22 08:02:19 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-10-07 13:32:31 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
+ 2007-08-21 06:25:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
- 2007-10-07 13:54:20 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-23 03:35:36 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2007-10-07 13:43:14 726,528 ----a-w C:\WINDOWS\system32\lsasrv.dll
+ 2007-11-07 09:50:47 727,040 ----a-w C:\WINDOWS\system32\lsasrv.dll
- 2004-08-04 12:00:00 138,240 ----a-w C:\WINDOWS\system32\mqad.dll
+ 2007-07-06 12:46:59 138,240 ----a-w C:\WINDOWS\system32\mqad.dll
- 2004-08-04 12:00:00 47,104 ----a-w C:\WINDOWS\system32\mqdscli.dll
+ 2007-07-06 12:46:59 47,104 ----a-w C:\WINDOWS\system32\mqdscli.dll
- 2004-08-04 12:00:00 16,896 ----a-w C:\WINDOWS\system32\mqise.dll
+ 2007-07-06 12:46:59 16,896 ----a-w C:\WINDOWS\system32\mqise.dll
- 2004-08-04 12:00:00 660,992 ----a-w C:\WINDOWS\system32\mqqm.dll
+ 2007-07-06 12:46:59 660,992 ----a-w C:\WINDOWS\system32\mqqm.dll
- 2004-08-04 12:00:00 177,152 ----a-w C:\WINDOWS\system32\mqrt.dll
+ 2007-07-06 12:46:59 177,152 ----a-w C:\WINDOWS\system32\mqrt.dll
- 2004-08-04 12:00:00 95,744 ----a-w C:\WINDOWS\system32\mqsec.dll
+ 2007-07-06 12:46:59 95,744 ----a-w C:\WINDOWS\system32\mqsec.dll
- 2004-08-04 12:00:00 48,640 ----a-w C:\WINDOWS\system32\mqupgrd.dll
+ 2007-07-06 12:46:59 48,640 ----a-w C:\WINDOWS\system32\mqupgrd.dll
- 2004-08-04 12:00:00 471,552 ----a-w C:\WINDOWS\system32\mqutil.dll
+ 2007-07-06 12:46:59 471,552 ----a-w C:\WINDOWS\system32\mqutil.dll
+ 2008-05-29 21:35:12 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-10-07 13:43:14 297,984 ----a-w C:\WINDOWS\system32\MSCTF.dll
+ 2008-02-26 11:48:44 297,984 ----a-w C:\WINDOWS\system32\msctf.dll
- 2004-08-04 12:00:00 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll
- 2004-08-04 12:00:00 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll
- 2007-10-07 13:54:21 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-04-23 03:35:36 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-04-25 18:08:34 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-04-23 03:35:36 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-10-07 13:54:25 3,584,000 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-23 03:35:36 3,593,728 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-10-07 13:54:26 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-04-23 03:35:36 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2004-08-04 12:00:00 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll
- 2004-08-04 12:00:00 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
- 2004-08-04 12:00:00 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
+ 2008-03-26 08:09:15 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
- 2004-08-04 12:00:00 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll
- 2004-08-04 12:00:00 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll
- 2004-08-04 12:00:00 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll
+ 2008-03-25 15:20:46 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
- 2004-08-04 12:00:00 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll
- 2007-10-07 13:54:27 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-04-23 03:35:36 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2004-08-04 12:00:00 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll
- 2004-08-04 12:00:00 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll
- 2004-08-04 12:00:00 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll
- 2004-08-04 12:00:00 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll
+ 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll
- 2007-10-07 13:54:27 670,720 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-04-23 03:35:36 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-10-07 13:33:16 838,360 ----a-w C:\WINDOWS\system32\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll
- 2007-10-07 13:33:16 621,272 ----a-w C:\WINDOWS\system32\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
- 2004-08-04 12:00:00 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll
- 2007-10-07 13:54:30 102,400 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-04-23 03:35:36 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2007-10-07 13:43:30 549,888 ----a-w C:\WINDOWS\system32\oleaut32.dll
+ 2007-12-04 18:29:10 551,936 ----a-w C:\WINDOWS\system32\oleaut32.dll
- 2007-10-07 13:54:30 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-04-23 03:35:36 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-10-07 13:33:37 582,656 ----a-w C:\WINDOWS\system32\rpcrt4.dll
+ 2007-07-09 13:16:16 582,656 ----a-w C:\WINDOWS\system32\rpcrt4.dll
- 2007-10-07 13:43:42 8,459,264 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 ----a-w C:\WINDOWS\system32\shell32.dll
- 2006-10-09 03:51:14 14,640 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2008-03-27 09:24:20 60,416 ------w C:\WINDOWS\system32\tzchange.exe
- 2007-10-07 13:54:32 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-04-23 03:35:36 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-10-07 13:54:32 1,153,536 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-23 03:35:36 1,162,752 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-10-07 13:54:34 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-04-23 03:35:36 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-10-07 13:43:46 1,843,968 ----a-w C:\WINDOWS\system32\win32k.sys
+ 2008-03-19 09:40:27 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
- 2007-10-07 13:35:07 222,208 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2007-10-27 22:40:30 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
- 2007-10-07 13:35:21 10,834,432 ----a-w C:\WINDOWS\system32\wmp.dll
+ 2007-06-12 04:51:12 10,834,944 ----a-w C:\WINDOWS\system32\wmp.dll
- 2007-10-07 13:43:51 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:04:03 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 16:35 202024]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" [2004-09-09 21:12 132248]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-09-06 12:19 1426432]
"CPU Power Monitor"="C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe" [2007-09-06 20:57 626688]
"Cpu Level Up help"="C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-09-11 11:32 880640]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 08:34 868352]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 10:51 1836328]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 14:12 341488]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 11:42 58728]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-06-14 22:14 100056]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 03:17 55824 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

C:\Documents and Settings\Dave\Start Menu\Programs\Startup\
Mouse_all_macros-CS.exe [2008-03-01 10:56:18 203640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Autodetect.lnk - C:\Program Files\Photolightning\autodetect.exe [2008-06-13 23:26:12 126976]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-02-20 21:15:22 789008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 13:30 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-09-11 00:43 67488 C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-27 21:17 1271032 c:\Program Files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"C:\\Program Files\\Autodesk\\VIZ2008\\3dsviz.exe"=

R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 00:45]
R2 mi-raysat_VIZ2008_32;mental ray 3.5 Satellite for Autodesk VIZ 2008;"C:\Program Files\Autodesk\VIZ2008\mentalray\satellite\raysat_VIZ2008_32server.exe" [2007-03-07 15:32]
S3 axskbus;axskbus;C:\WINDOWS\system32\DRIVERS\axskbus.sys []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-15 03:07:09 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Dave.job"
- C:\PROGRA~1\NORTON~1\NORTON~3\Navw32.exeh/task:
"2008-06-15 02:57:33 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-07-04 05:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{57C60687-29B1-4426-A56E-7699D391E570} - (no file)
BHO-{a4c17357-40a2-4782-a40d-ab543136fea1} - C:\WINDOWS\system32\hqilthwc.dll
BHO-{F68ECCDB-E163-46DB-9BC2-1703BE6F2130} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 23:52:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-04 23:53:23
ComboFix-quarantined-files.txt 2008-07-05 04:53:13

Pre-Run: 105,283,760,128 bytes free
Post-Run: 105,270,681,600 bytes free

577 --- E O F --- 2008-06-24 11:57:12

**********************
**********************
**********************
HijackThis Log
**********************
**********************
**********************

Deckard's System Scanner v20071014.68
Run by Dave on 2008-07-04 23:56:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Dave.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:08 PM, on 7/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20815)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Autodesk\VIZ2008\mentalray\satellite\raysat_VIZ2008_32server.exe
C:\Program Files\Photolightning\autodetect.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\Dave\Start Menu\Programs\Startup\Mouse_all_macros-CS.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Dave\Desktop\desktop1\vundoremoval\dss.exe
C:\PROGRA~1\HIJACK~1\Dave.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {57C60687-29B1-4426-A56E-7699D391E570} - (no file)
O2 - BHO: {1aef6313-45ba-d04a-2874-2a0475371c4a} - {a4c17357-40a2-4782-a40d-ab543136fea1} - C:\WINDOWS\system32\hqilthwc.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {F68ECCDB-E163-46DB-9BC2-1703BE6F2130} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: Mouse_all_macros-CS.exe
O4 - Global Startup: Autodetect.lnk = C:\Program Files\Photolightning\autodetect.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mental ray 3.5 Satellite for Autodesk VIZ 2008 (mi-raysat_VIZ2008_32) - Unknown owner - C:\Program Files\Autodesk\VIZ2008\mentalray\satellite\raysat_VIZ2008_32server.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11273 bytes

-- Files created between 2008-06-04 and 2008-07-04 -----------------------------

2008-07-04 23:51:07 68096 --a------ C:\WINDOWS\zip.exe
2008-07-04 23:51:07 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-04 23:51:07 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-04 23:51:07 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-04 23:51:07 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-04 23:51:07 98816 --a------ C:\WINDOWS\sed.exe
2008-07-04 23:51:07 80412 --a------ C:\WINDOWS\grep.exe
2008-07-04 23:51:07 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-04 23:49:16 259776 -r-hs---- C:\cmldr
2008-07-04 23:49:14 0 dr-hs---- C:\cmdcons
2008-07-04 23:49:13 0 d-------- C:\WINDOWS\setup.pss
2008-07-04 23:49:03 0 d-------- C:\WINDOWS\setupupd
2008-07-04 02:04:21 0 dr-h----- C:\Documents and Settings\Dave\Recent
2008-06-21 00:11:32 0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-20 21:34:08 0 d-------- C:\VundoFix Backups
2008-06-18 23:41:01 25992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe <Not Verified; Sysinternals - www.sysinternals.com; Page File Defragmenter>
2008-06-18 21:31:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-18 21:27:27 0 d-------- C:\WINDOWS\pss
2008-06-18 21:05:59 0 d-------- C:\Program Files\CCleaner
2008-06-14 22:33:07 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-14 22:14:27 0 d-------- C:\Program Files\SymNetDrv
2008-06-14 21:56:46 4608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys <Not Verified; Symantec Corporation; Symantec Core Component>
2008-06-14 21:56:27 0 d-------- C:\Program Files\Norton SystemWorks
2008-06-14 21:55:45 0 d-------- C:\Documents and Settings\Dave\Application Data\Symantec
2008-06-14 21:55:27 0 d-------- C:\Program Files\Symantec
2008-06-14 21:55:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-14 20:11:36 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-14 15:33:05 0 d-------- C:\Program Files\Lavasoft
2008-06-14 15:32:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-14 11:05:06 0 d-------- C:\Documents and Settings\Dave\Application Data\Mp3tag
2008-06-14 11:04:58 0 d-------- C:\Program Files\Mp3tag
2008-06-14 10:56:52 0 d-------- C:\Program Files\GoldWave
2008-06-13 23:26:11 65536 --a------ C:\WINDOWS\Photolightning.SCR <Not Verified; Photolightning; Photolightning>
2008-06-13 23:26:09 0 d-------- C:\Program Files\Photolightning
2008-06-13 23:12:30 0 d-------- C:\Program Files\Common Files\FotoWire
2008-06-09 21:24:55 0 d-------- C:\Program Files\AutoUnpack
2008-06-08 11:29:08 0 d-------- C:\Documents and Settings\All Users\Application Data\espionServerData


-- Find3M Report ---------------------------------------------------------------

2008-07-04 23:27:23 0 d-------- C:\Program Files\Common Files
2008-07-04 00:25:36 0 d-------- C:\Program Files\Steam
2008-06-21 00:04:05 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-14 22:27:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-14 20:26:38 0 d-------- C:\Program Files\AVG Anti-Spyware 7.5
2008-06-14 11:13:52 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-06-08 11:28:54 0 d-------- C:\Documents and Settings\Dave\Application Data\Adobe
2008-06-02 00:06:30 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-02 00:06:29 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-19 22:48:59 0 d-------- C:\Documents and Settings\Dave\Application Data\Ulead Systems
2008-05-19 18:31:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-19 18:31:33 0 d-------- C:\Program Files\SmartSound Software
2008-05-19 18:31:23 0 d-------- C:\Program Files\QuickTime
2008-05-19 18:30:47 0 d-------- C:\Program Files\Common Files\InterVideo
2008-05-19 18:29:59 0 d-------- C:\Program Files\Windows Media Components
2008-05-19 18:29:57 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-05-19 18:29:19 0 d-------- C:\Program Files\Ulead Systems
2008-05-16 17:41:25 0 d-------- C:\Program Files\QuickPar
2008-05-12 23:32:44 0 d-------- C:\Program Files\Autodesk
2008-05-12 23:32:42 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-05-08 20:58:09 0 d-------- C:\Documents and Settings\Dave\Application Data\NewsLeecher
2008-05-07 00:32:05 0 d-------- C:\Program Files\Bulk Rename Utility
2008-05-05 23:06:32 0 d-------- C:\Documents and Settings\Dave\Application Data\Skype
2008-05-05 23:05:59 0 d-------- C:\Documents and Settings\Dave\Application Data\skypePM
2008-05-05 21:07:46 0 d-------- C:\Program Files\MagicISO
2008-04-07 21:21:57 4853760 --a------ C:\Program Files\mplayerc.exe <Not Verified; Gabest; Media Player Classic>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57C60687-29B1-4426-A56E-7699D391E570}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4c17357-40a2-4782-a40d-ab543136fea1}]
C:\WINDOWS\system32\hqilthwc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F68ECCDB-E163-46DB-9BC2-1703BE6F2130}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [09/06/2007 12:19 PM]
"CPU Power Monitor"="C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe" [09/06/2007 08:57 PM]
"Cpu Level Up help"="C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [09/11/2007 11:32 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 02:41 AM]
"nwiz"="nwiz.exe" [12/05/2007 02:41 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 02:41 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [12/18/2006 08:34 AM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [11/29/2007 03:17 AM C:\WINDOWS\KHALMNPR.Exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [03/01/2007 04:57 PM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [09/20/2007 10:51 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [03/03/2007 02:12 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/17/2008 11:42 AM]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [06/14/2008 10:14 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [09/20/2007 04:35 PM]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" [09/09/2004 09:12 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/07/2007 04:43 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32

C:\Documents and Settings\Dave\Start Menu\Programs\Startup\
Mouse_all_macros-CS.exe [3/1/2008 10:56:18 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Autodetect.lnk - C:\Program Files\Photolightning\autodetect.exe [6/13/2008 11:26:12 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2/20/2008 9:15:22 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 01/09/2008 01:30 PM 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program files\steam\steam.exe" -silent

*Newly Created Service* - CATCHME



-- End of Deckard's System Scanner: finished at 2008-07-04 23:56:21 ------------

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:46 AM

Posted 05 July 2008 - 12:46 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\BM1b39f140.xml
C:\WINDOWS\system32\awtqrpmm.dll.vir
Folder::
C:\VundoFix Backups
Driver::
axskbus
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57C60687-29B1-4426-A56E-7699D391E570}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4c17357-40a2-4782-a40d-ab543136fea1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F68ECCDB-E163-46DB-9BC2-1703BE6F2130}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Davey_MTU

Davey_MTU
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 05 July 2008 - 04:54 PM

Well, ComboFix got this far:

"Scanning for infected files . . .
This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily double
The process cannot access the file because it is being used by another process."

Then I let it sit. After 3 hours, it hadn't done anything else, so I shut the window, rebooted, and tried again. Same thing.

Should I repeat these steps in safe mode? Or is there a way to find out what process is using the file and kill it with Task Manager, then repeat these steps?

Thanks,

Dave

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:46 AM

Posted 05 July 2008 - 05:02 PM

Hi,

It's most probably your Norton interfering here... But, no need to rerun Combofix again, we'll deal with the leftovers manually...

Delete the following files:

C:\WINDOWS\BM1b39f140.xml
C:\WINDOWS\system32\awtqrpmm.dll.vir

Delete the following folder:

C:\VundoFix Backups


Then,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {57C60687-29B1-4426-A56E-7699D391E570} - (no file)
O2 - BHO: {1aef6313-45ba-d04a-2874-2a0475371c4a} - {a4c17357-40a2-4782-a40d-ab543136fea1} - C:\WINDOWS\system32\hqilthwc.dll (file missing)
O2 - BHO: (no name) - {F68ECCDB-E163-46DB-9BC2-1703BE6F2130} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Edited by miekiemoes, 05 July 2008 - 05:02 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Davey_MTU

Davey_MTU
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 05 July 2008 - 05:16 PM

Everything seems to be working ok! Thanks.

Here's a final HJT log if you are interested.

Thanks again,

Dave
-----------------------
-----------------------
-----------------------
-----------------------
Deckard's System Scanner v20071014.68
Run by Dave on 2008-07-05 17:13:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Dave.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:13, on 2008-07-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20815)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Photolightning\autodetect.exe
C:\Program Files\Autodesk\VIZ2008\mentalray\satellite\raysat_VIZ2008_32server.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\Dave\Start Menu\Programs\Startup\Mouse_all_macros-CS.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Dave\Desktop\desktop1\vundoremoval\dss.exe
C:\PROGRA~1\HIJACK~1\Dave.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: Mouse_all_macros-CS.exe
O4 - Global Startup: Autodetect.lnk = C:\Program Files\Photolightning\autodetect.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mental ray 3.5 Satellite for Autodesk VIZ 2008 (mi-raysat_VIZ2008_32) - Unknown owner - C:\Program Files\Autodesk\VIZ2008\mentalray\satellite\raysat_VIZ2008_32server.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10890 bytes

-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-04 23:49:16 259776 -r-hs---- C:\cmldr
2008-07-04 23:49:14 0 dr-hs---- C:\cmdcons
2008-07-04 23:49:13 0 d-------- C:\WINDOWS\setup.pss
2008-07-04 23:49:03 0 d-------- C:\WINDOWS\setupupd
2008-07-04 02:04:21 0 dr-h----- C:\Documents and Settings\Dave\Recent
2008-06-21 00:11:32 0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-18 23:41:01 25992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe <Not Verified; Sysinternals - www.sysinternals.com; Page File Defragmenter>
2008-06-18 21:31:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-18 21:27:27 0 d-------- C:\WINDOWS\pss
2008-06-18 21:05:59 0 d-------- C:\Program Files\CCleaner
2008-06-14 22:33:07 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-14 22:14:27 0 d-------- C:\Program Files\SymNetDrv
2008-06-14 21:56:46 4608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys <Not Verified; Symantec Corporation; Symantec Core Component>
2008-06-14 21:56:27 0 d-------- C:\Program Files\Norton SystemWorks
2008-06-14 21:55:45 0 d-------- C:\Documents and Settings\Dave\Application Data\Symantec
2008-06-14 21:55:27 0 d-------- C:\Program Files\Symantec
2008-06-14 21:55:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-14 20:11:36 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-14 15:33:05 0 d-------- C:\Program Files\Lavasoft
2008-06-14 15:32:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-14 11:05:06 0 d-------- C:\Documents and Settings\Dave\Application Data\Mp3tag
2008-06-14 11:04:58 0 d-------- C:\Program Files\Mp3tag
2008-06-14 10:56:52 0 d-------- C:\Program Files\GoldWave
2008-06-13 23:26:11 65536 --a------ C:\WINDOWS\Photolightning.SCR <Not Verified; Photolightning; Photolightning>
2008-06-13 23:26:09 0 d-------- C:\Program Files\Photolightning
2008-06-13 23:12:30 0 d-------- C:\Program Files\Common Files\FotoWire
2008-06-09 21:24:55 0 d-------- C:\Program Files\AutoUnpack
2008-06-08 11:29:08 0 d-------- C:\Documents and Settings\All Users\Application Data\espionServerData


-- Find3M Report ---------------------------------------------------------------

2008-07-05 16:49:06 0 d-------- C:\Program Files\Common Files
2008-07-05 12:26:41 0 d-------- C:\Documents and Settings\Dave\Application Data\Skype
2008-07-05 12:25:58 0 d-------- C:\Documents and Settings\Dave\Application Data\skypePM
2008-07-04 00:25:36 0 d-------- C:\Program Files\Steam
2008-06-21 00:04:05 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-14 22:27:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-14 20:26:38 0 d-------- C:\Program Files\AVG Anti-Spyware 7.5
2008-06-14 11:13:52 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-06-08 11:28:54 0 d-------- C:\Documents and Settings\Dave\Application Data\Adobe
2008-06-02 00:06:30 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-02 00:06:29 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-19 22:48:59 0 d-------- C:\Documents and Settings\Dave\Application Data\Ulead Systems
2008-05-19 18:31:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-19 18:31:33 0 d-------- C:\Program Files\SmartSound Software
2008-05-19 18:31:23 0 d-------- C:\Program Files\QuickTime
2008-05-19 18:30:47 0 d-------- C:\Program Files\Common Files\InterVideo
2008-05-19 18:29:59 0 d-------- C:\Program Files\Windows Media Components
2008-05-19 18:29:57 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-05-19 18:29:19 0 d-------- C:\Program Files\Ulead Systems
2008-05-16 17:41:25 0 d-------- C:\Program Files\QuickPar
2008-05-12 23:32:44 0 d-------- C:\Program Files\Autodesk
2008-05-12 23:32:42 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-05-08 20:58:09 0 d-------- C:\Documents and Settings\Dave\Application Data\NewsLeecher
2008-05-07 00:32:05 0 d-------- C:\Program Files\Bulk Rename Utility
2008-05-05 21:07:46 0 d-------- C:\Program Files\MagicISO
2008-04-07 21:21:57 4853760 --a------ C:\Program Files\mplayerc.exe <Not Verified; Gabest; Media Player Classic>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-09-06 12:19]
"CPU Power Monitor"="C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe" [2007-09-06 20:57]
"Cpu Level Up help"="C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-09-11 11:32]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41]
"nwiz"="nwiz.exe" [2007-12-05 02:41 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 08:34]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 03:17 C:\WINDOWS\KHALMNPR.Exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 16:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 10:51]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"UVS11 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 14:12]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 11:42]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-06-14 22:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 16:35]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" [2004-09-09 21:12]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-10-07 16:43]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32

C:\Documents and Settings\Dave\Start Menu\Programs\Startup\
Mouse_all_macros-CS.exe [2008-03-01 10:56:18]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Autodetect.lnk - C:\Program Files\Photolightning\autodetect.exe [2008-06-13 23:26:12]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-02-20 21:15:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 2008-01-09 13:30 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program files\steam\steam.exe" -silent




-- End of Deckard's System Scanner: finished at 2008-07-05 17:13:23 ------------

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:46 AM

Posted 06 July 2008 - 01:16 AM

Hi,

This looks OK again :thumbsup:

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:46 AM

Posted 13 July 2008 - 02:00 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users