Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo And Possible Other Infections


  • Please log in to reply
9 replies to this topic

#1 Commie

Commie

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 07 July 2008 - 01:55 AM

Whenever I try to do something with Windows Explorer, the start menu and desktop icons disappear.
Spybot S&D always notifies me that a MSServer System Startup global entry is requesting to be changed and that deals with a rundll32.exe file in the C:\Windows\system32 directory.

I have a Kaspersky online scan log and the main.txt portion of Deckard's. It never gives me an extra.txt file even when I get the chance to look in the Deckard folder.

I've received help from here once before and it was greatly appreciated. Any help again will also be appreciated. Apparently I have problems with avoiding viruses.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, July 7, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, July 06, 2008 18:57:34
Records in database: 918909
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Program Files
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\Kyle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Windows

Scan statistics:
Files scanned: 130962
Threat name: 1
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:41:09


File name / Threat name / Threats count
C:\Windows\system32\qoMddbBR.dll/C:\Windows\system32\qoMddbBR.dll Infected: Trojan.Win32.Monderc.gen 1
C:\Windows\System32\qoMddbBR.dll Infected: Trojan.Win32.Monderc.gen 1
C:\Windows\System32\tuvTMEWO.dll Infected: Trojan.Win32.Monderc.gen 1

The selected area was scanned.



Deckard's System Scanner v20071014.68
Run by Kyle on 2008-07-07 02:05:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 1014 MiB (1024 MiB recommended).


-- HijackThis (run as Kyle.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:37 AM, on 7/7/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Windows\System32\mobsync.exe
C:\Users\Kyle\Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Kyle.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Windows\system32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22AAC35B-F52E-4EAF-86FC-874714DC78CC} - C:\Windows\system32\wvUoLbAS.dll (file missing)
O2 - BHO: (no name) - {4F8A9E0D-65A7-4CDC-B468-02488F2ACEDC} - C:\Windows\system32\qoMddbBR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [KeyAccess] C:\Windows\keyacc32.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\uRlmnKBt.dll,#1
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Belkin Network USB Hub Control Center.lnk = C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUICECooLSrv.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 13388 bytes

-- Files created between 2008-06-07 and 2008-07-07 -----------------------------

2008-07-07 02:03:48 25088 --a------ C:\Windows\system32\uRlmnKBt.dll
2008-07-06 23:53:51 654217 --ahs---- C:\Windows\system32\RBbddMoq.ini2
2008-07-06 23:53:44 319488 --a------ C:\Windows\system32\qoMddbBR.dll
2008-07-06 23:44:08 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-07-06 21:43:54 0 d-------- C:\VundoFix Backups
2008-07-06 18:24:43 0 d-------- C:\Users\All Users\WindowsSearch
2008-07-06 06:40:54 0 d-------- C:\Program Files\MagicISO
2008-07-04 11:37:52 34693 --a------ C:\Windows\scunin.dat
2008-07-04 11:37:44 967 --a------ C:\Windows\ScUnin.pif
2008-07-04 11:37:43 94208 --a------ C:\Windows\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2008-07-04 11:36:40 0 d-------- C:\Program Files\Starcraft
2008-07-03 17:13:27 0 d-------- C:\tmp
2008-07-02 17:29:43 0 d-------- C:\Program Files\Firaxis Games
2008-07-01 22:58:01 0 d-------- C:\Users\All Users\Innovative Solutions
2008-07-01 22:57:22 0 d-------- C:\Program Files\Innovative Solutions
2008-07-01 13:53:39 737280 --a------ C:\Windows\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-07-01 08:25:42 442368 -ra------ C:\Windows\system32\vp6vfw.dll <Not Verified; On2.com; On2_VP6>
2008-06-24 22:16:07 0 d-------- C:\Users\All Users\Google Updater
2008-06-23 10:55:52 0 d-------- C:\Program Files\bobyte
2008-06-23 10:39:14 356352 --a------ C:\Windows\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2008-06-23 10:29:52 0 d-------- C:\Program Files\Common Files\DeskShare Shared
2008-06-23 10:29:18 0 d-------- C:\Program Files\Deskshare


-- Find3M Report ---------------------------------------------------------------

2008-07-07 02:09:13 345 --ahs---- C:\Windows\system32\NmTEdfii.ini2
2008-07-07 02:09:07 319488 --a------ C:\Windows\system32\iifdETmN.dll
2008-07-06 19:37:12 0 d-------- C:\Users\Kyle\AppData\Roaming\uTorrent
2008-07-06 19:37:05 0 d-------- C:\Program Files\Common Files
2008-07-06 19:37:03 0 d-------- C:\Program Files\AviSynth 2.5
2008-07-06 18:28:38 12693 --a------ C:\Users\Kyle\AppData\Roaming\.googlewebacchosts
2008-07-06 07:13:38 0 d-------- C:\Users\Kyle\AppData\Roaming\.purple
2008-07-04 07:40:47 0 d-------- C:\Program Files\uTorrent
2008-07-02 18:27:34 0 d-------- C:\Program Files\EA GAMES
2008-07-02 17:38:30 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-28 13:05:00 0 d-------- C:\Users\Kyle\AppData\Roaming\Mozilla
2008-06-27 15:25:44 0 d-------- C:\Users\Kyle\AppData\Roaming\NeroDigital™
2008-06-24 22:19:30 0 d-------- C:\Users\Kyle\AppData\Roaming\Google
2008-06-24 22:18:10 0 d-------- C:\Program Files\Google
2008-06-23 10:54:19 0 d-------- C:\Program Files\DivX
2008-06-23 00:48:50 0 d-------- C:\Program Files\Common Files\Nero
2008-06-15 22:12:18 0 d-------- C:\Program Files\Windows Mail
2008-06-07 05:32:35 0 d-------- C:\Program Files\myFairTunes
2008-06-06 04:37:53 0 d-------- C:\Program Files\RocketDock
2008-06-01 22:56:01 0 d-------- C:\Program Files\dvdSanta
2008-06-01 22:34:52 0 d-------- C:\Users\Kyle\AppData\Roaming\gtk-2.0
2008-06-01 02:45:49 0 d-------- C:\Program Files\Image-Line
2008-06-01 02:37:08 0 d-------- C:\Program Files\Steinberg
2008-05-31 21:19:09 0 d-------- C:\Program Files\Activision
2008-05-31 19:03:56 0 d-------- C:\Users\Kyle\AppData\Roaming\Astroburn
2008-05-31 18:41:33 0 d-------- C:\Program Files\Astroburn
2008-05-30 19:22:48 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 19:22:48 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 19:22:48 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 19:22:46 815104 --a------ C:\Windows\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 19:22:46 683520 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-27 20:18:50 0 d-------- C:\Users\Kyle\AppData\Roaming\LimeWire
2008-05-22 18:22:18 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-05-22 18:19:46 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-22 18:19:46 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-22 18:18:54 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll
2008-05-19 17:04:54 29824 --a------ C:\Windows\system32\rqRIxvWN.dll
2008-05-19 14:06:39 0 d-------- C:\Users\Kyle\AppData\Roaming\Malwarebytes
2008-05-19 14:06:23 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-17 05:53:28 344 --ahs---- C:\Windows\system32\AaGggfii.ini2
2008-05-17 05:10:25 0 d-------- C:\Program Files\Trend Micro
2008-05-15 18:21:14 0 d-------- C:\Users\Kyle\AppData\Roaming\Real
2008-05-15 18:16:25 2823 --a------ C:\Windows\mozver.dat
2008-05-15 18:14:31 0 d-------- C:\Program Files\Common Files\xing shared
2008-05-15 18:14:26 0 d-------- C:\Program Files\Common Files\Real
2008-05-15 18:13:32 0 d-------- C:\Program Files\Real
2008-05-14 20:56:58 0 d-------- C:\Program Files\iolo
2008-05-14 14:40:44 0 d-------- C:\Program Files\Avi2Dvd
2008-05-12 18:24:32 0 d-------- C:\Users\Kyle\AppData\Roaming\Microsoft Games
2008-05-12 18:00:14 0 d-------- C:\Program Files\Microsoft Games
2008-05-08 22:16:31 0 d-------- C:\Users\Kyle\AppData\Roaming\dvdcss
2008-05-07 21:57:53 0 d-------- C:\Users\Kyle\AppData\Roaming\Tunebite
2008-05-07 21:52:31 0 d-------- C:\Program Files\RapidSolution
2008-04-19 08:49:44 174 --ahs---- C:\Program Files\desktop.ini
2008-04-12 07:41:20 180224 --a------ C:\Windows\system32\xvidvfw.dll
2008-04-12 07:30:20 765952 --a------ C:\Windows\system32\xvidcore.dll
2008-04-10 00:12:29 195024 --ah----- C:\Windows\system32\mlfcache.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22AAC35B-F52E-4EAF-86FC-874714DC78CC}]
C:\Windows\system32\wvUoLbAS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F8A9E0D-65A7-4CDC-B468-02488F2ACEDC}]
07/06/2008 11:53 PM 319488 --a------ C:\Windows\system32\qoMddbBR.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [04/03/2008 10:51 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 03:38 AM]
"RtHDVCpl"="RtHDVCpl.exe" [03/11/2008 05:53 PM C:\Windows\RtHDVCpl.exe]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [12/20/2006 03:16 AM]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [12/07/2006 08:49 PM]
"HWSetup"="C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" [11/01/2006 12:06 PM]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [01/18/2006 08:06 PM]
"KeyAccess"="C:\Windows\keyacc32.exe" [06/08/2007 02:00 PM]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [11/27/2007 09:42 PM]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [05/22/2008 02:50 AM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [07/27/2007 07:00 AM]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [11/28/2007 08:17 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [11/22/2006 06:12 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [11/28/2006 07:34 AM]
"PINGER"="C:\TOSHIBA\IVP\ISM\pinger.exe" [07/20/2006 04:45 PM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 08:00 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [01/09/2008 04:31 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [02/18/2008 04:29 PM]
"RegistryMechanic"="" []
"iolo Startup"="C:\Program Files\iolo\Common\Lib\ioloLManager.exe" [05/06/2008 08:58 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/15/2008 06:13 PM]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [02/11/2008 08:13 PM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [02/11/2008 08:13 PM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [02/11/2008 08:13 PM]
"MSServer"="C:\Windows\system32\uRlmnKBt.dll" [07/06/2008 07:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [01/19/2008 03:33 AM]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [02/28/2008 05:07 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/19/2008 03:33 AM]
"@"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [09/02/2007 01:58 PM]

C:\Users\Kyle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Belkin Network USB Hub Control Center.lnk - C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe [3/21/2008 9:02:01 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [7/9/2007 11:24:38 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4E3E60F5-F691-475F-AFBA-CF9FCAB47C15}"= C:\Windows\system32\uRlmnKBt.dll [07/06/2008 07:00 AM 25088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 01/31/2007 03:00 PM 79368 C:\Windows\System32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=KATRACK.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
%ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cafwc]
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
"C:\Program Files\DAEMON Tools Lite\daemon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]
NDSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1eab8f52-c138-11dc-bdc0-0016d4fc3df5}]
AutoRun\command- F:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d008b31-a32e-11dc-b5af-0016d4fc3df5}]
AutoRun\command- E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af8d580e-a8f1-11dc-a0c7-0016d4fc3df5}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c22cf7b3-9d4f-11dc-97dc-0016d4fc3df5}]
AutoRun\command- I:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c22cf7b6-9d4f-11dc-97dc-0016d4fc3df5}]
AutoRun\command- H:\LaunchU3.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-07 02:10:30 ------------

BC AdBot (Login to Remove)

 


m

#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:24 PM

Posted 09 July 2008 - 04:16 AM

Hello Commie and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Commie

Commie
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 09 July 2008 - 09:42 AM

Thanks for the response, Thunder. I have carried out all of your instructions and the logs are below.


Malwarebytes' Anti-Malware 1.20
Database version: 933
Windows 6.0.6001 Service Pack 1

9:44:09 AM 7/9/2008
mbam-log-7-9-2008 (09-44-09).txt

Scan type: Quick Scan
Objects scanned: 42492
Time elapsed: 13 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\tuvvuTLe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\eLTuvvut.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\eLTuvvut.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kyle\AppData\Local\Temp\tmp00024597 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kyle\AppData\Local\Temp\tmp00029156 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kyle\AppData\Local\Temp\tmp0002ab0d (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kyle\AppData\Local\Temp\tmp00036882 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kyle\AppData\Local\Temp\tmp00044bbf (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kyle\AppData\Local\Temp\tmp00044c0d (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kyle\AppData\Local\Temp\tmp00045e93 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Kyle\AppData\Local\Temp\tmp00046759 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:34 AM, on 7/9/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Toshiba\IVP\ISM\ivpsvmgr.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [KeyAccess] C:\Windows\keyacc32.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Belkin Network USB Hub Control Center.lnk = C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUICECooLSrv.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 12727 bytes


ComboFix 08-07-08.7 - Kyle 2008-07-09 10:04:14.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.265 [GMT -4:00]
Running from: C:\Users\Kyle\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\System32\AaGggfii.ini
C:\Windows\System32\AaGggfii.ini2
C:\Windows\system32\x64
C:\Windows\system32\vspubapi.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))
.

2008-07-06 21:43 . 2008-07-06 23:44 <DIR> d-------- C:\VundoFix Backups
2008-07-06 18:24 . 2008-07-06 18:24 <DIR> d-------- C:\Users\All Users\WindowsSearch
2008-07-06 18:24 . 2008-07-06 18:24 <DIR> d-------- C:\ProgramData\WindowsSearch
2008-07-06 06:40 . 2008-07-06 19:37 <DIR> d-------- C:\Program Files\MagicISO
2008-07-04 11:37 . 2008-07-04 11:49 94,208 --a------ C:\Windows\ScUnin.exe
2008-07-04 11:37 . 2008-07-04 11:49 34,693 --a------ C:\Windows\scunin.dat
2008-07-04 11:37 . 2008-07-04 11:49 967 --a------ C:\Windows\ScUnin.pif
2008-07-04 11:36 . 2008-07-07 06:19 <DIR> d-------- C:\Program Files\Starcraft
2008-07-03 17:13 . 2008-07-03 17:13 <DIR> d-------- C:\tmp
2008-07-02 17:29 . 2008-07-02 17:29 <DIR> d-------- C:\Program Files\Firaxis Games
2008-07-01 22:58 . 2008-07-01 22:58 <DIR> d-------- C:\Users\All Users\Innovative Solutions
2008-07-01 22:58 . 2008-07-01 22:58 <DIR> d-------- C:\ProgramData\Innovative Solutions
2008-07-01 22:57 . 2008-07-01 22:57 <DIR> d-------- C:\Program Files\Innovative Solutions
2008-07-01 22:57 . 2006-11-22 12:35 42,496 --a------ C:\Windows\System32\AdvUninstCPL.cpl
2008-07-01 13:53 . 2008-07-02 18:32 737,280 --a------ C:\Windows\iun6002.exe
2008-07-01 08:25 . 2004-08-18 04:34 442,368 -ra------ C:\Windows\System32\vp6vfw.dll
2008-06-27 15:25 . <DIR> C:\Users\Kyle\AppData\Roaming\NeroDigitalT
2008-06-24 22:16 . 2008-07-09 03:59 <DIR> d-------- C:\Users\All Users\Google Updater
2008-06-24 22:16 . 2008-07-09 03:59 <DIR> d-------- C:\ProgramData\Google Updater
2008-06-23 10:55 . 2008-07-06 19:37 <DIR> d-------- C:\Program Files\bobyte
2008-06-23 10:39 . 2008-06-23 10:39 356,352 --a------ C:\Windows\eSellerateEngine.dll
2008-06-23 10:29 . 2008-07-06 19:37 <DIR> d-------- C:\Program Files\Deskshare
2008-06-23 10:29 . 2008-07-06 19:37 <DIR> d-------- C:\Program Files\Common Files\DeskShare Shared
2008-06-23 10:29 . 2004-12-07 10:11 258,352 --a------ C:\Windows\System32\Unicows.dll
2008-06-15 13:06 . 2008-04-23 00:42 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-06-15 13:06 . 2008-04-23 00:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-06-15 13:06 . 2008-04-23 00:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-15 13:06 . 2008-04-23 00:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-15 12:57 . 2008-05-09 21:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-06-15 12:56 . 2008-04-24 22:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-06-15 12:56 . 2008-05-09 23:35 885,248 --a------ C:\Windows\System32\RacEngn.dll
2008-06-15 12:56 . 2008-04-25 00:35 826,880 --a------ C:\Windows\System32\wininet.dll
2008-06-15 12:56 . 2008-05-09 18:22 9,127 --a------ C:\Windows\System32\RacUR.xml
2008-06-15 12:56 . 2008-05-09 18:22 153 --a------ C:\Windows\System32\RacUREx.xml
2008-06-15 12:53 . 2008-04-26 04:08 1,314,816 --a------ C:\Windows\System32\quartz.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 14:18 352,614 ---ha-w C:\Windows\system32\drivers\vsconfig.xml
2008-07-09 14:16 707,844 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k0
2008-07-09 14:16 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k7
2008-07-09 14:16 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k6
2008-07-09 14:16 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k5
2008-07-09 14:16 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k4
2008-07-09 14:16 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k3
2008-07-09 14:16 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k2
2008-07-09 14:16 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k1
2008-07-09 13:14 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-09 13:11 --------- d-----w C:\Users\Kyle\AppData\Roaming\uTorrent
2008-07-09 06:04 --------- d-----w C:\Users\Kyle\AppData\Roaming\.purple
2008-07-09 05:10 --------- d-----w C:\Users\Kyle\AppData\Roaming\gtk-2.0
2008-07-08 16:51 --------- d-----w C:\Users\Kyle\AppData\Roaming\dvdcss
2008-07-07 21:35 34,296 ----a-w C:\Windows\system32\drivers\mbamcatchme.sys
2008-07-07 21:35 17,144 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-07-07 10:19 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-07-06 23:37 --------- d-----w C:\Program Files\AviSynth 2.5
2008-07-05 22:13 352,614 ---ha-w C:\Windows\system32\drivers\vsconfig(206).xml
2008-07-04 11:40 --------- d-----w C:\Program Files\uTorrent
2008-07-02 22:27 --------- d-----w C:\Program Files\EA GAMES
2008-07-02 21:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-01 07:36 --------- d---a-w C:\ProgramData\TEMP
2008-06-29 21:53 23,850,324 ----a-w C:\Windows\Internet Logs\tvDebug.zip
2008-06-27 19:25 --------- d-----w C:\Users\Kyle\AppData\Roaming\NeroDigital™
2008-06-25 02:18 --------- d-----w C:\Program Files\Google
2008-06-23 14:54 --------- d-----w C:\Program Files\DivX
2008-06-23 04:48 --------- d-----w C:\Program Files\Common Files\Nero
2008-06-23 04:44 --------- d-----w C:\ProgramData\Nero
2008-06-16 02:12 --------- d-----w C:\Program Files\Windows Mail
2008-06-07 09:32 --------- d-----w C:\Program Files\myFairTunes
2008-06-06 08:37 --------- d-----w C:\Program Files\RocketDock
2008-06-02 02:56 --------- d-----w C:\Program Files\dvdSanta
2008-06-01 06:45 --------- d-----w C:\Program Files\Image-Line
2008-06-01 06:37 --------- d-----w C:\Program Files\Steinberg
2008-06-01 01:19 --------- d-----w C:\Program Files\Activision
2008-05-31 23:03 --------- d-----w C:\Users\Kyle\AppData\Roaming\Astroburn
2008-05-31 22:41 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-05-31 22:41 --------- d-----w C:\Program Files\Astroburn
2008-05-31 17:10 29,543,188 ----a-w C:\Windows\Internet Logs\vsmon_on_demand_2008_05_30_20_20_18_full.dmp.zip
2008-05-29 19:39 29,118,063 ----a-w C:\Windows\Internet Logs\vsmon_on_demand_2008_05_29_03_18_59_full.dmp.zip
2008-05-28 00:18 --------- d-----w C:\Users\Kyle\AppData\Roaming\LimeWire
2008-05-19 18:06 --------- d-----w C:\Users\Kyle\AppData\Roaming\Malwarebytes
2008-05-19 18:06 --------- d-----w C:\ProgramData\Malwarebytes
2008-05-17 09:30 --------- d-----w C:\ProgramData\Kaspersky Lab
2008-05-17 09:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-17 09:10 --------- d-----w C:\Program Files\Trend Micro
2008-05-15 22:14 --------- d-----w C:\Program Files\Common Files\xing shared
2008-05-15 22:14 --------- d-----w C:\Program Files\Common Files\Real
2008-05-15 22:13 --------- d-----w C:\Program Files\Real
2008-05-15 00:56 --------- d-----w C:\ProgramData\iolo
2008-05-15 00:56 --------- d-----w C:\Program Files\iolo
2008-05-14 18:40 --------- d-----w C:\Program Files\Avi2Dvd
2008-05-14 07:09 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-12 22:24 --------- d-----w C:\Users\Kyle\AppData\Roaming\Microsoft Games
2008-05-12 22:16 --------- d-----w C:\ProgramData\RapidSolution
2008-05-12 22:00 --------- d-----w C:\Program Files\Microsoft Games
2008-04-19 12:49 174 --sha-w C:\Program Files\desktop.ini
2008-03-16 08:37 0 ----a-w C:\Users\Kyle\AppData\Roaming\wklnhst.dat
2008-01-24 16:58 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-01-05 23:16 262,144 ----a-w C:\ProgramData\ntuser.dat
2008-01-08 01:08 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-01-08 01:08 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-01-08 01:08 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-11-28 20:20 23 --sha-w C:\Windows\System32\aefcae_r.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 03:33 125952]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 13:58 495616]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 03:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-03 10:51 1045800]
"HWSetup"="C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 12:06 413696]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-01-18 20:06 421888]
"KeyAccess"="C:\Windows\keyacc32.exe" [2007-06-08 14:00 749568]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-11-27 21:42 177416]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-05-22 02:50 173320]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 07:00 204800]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-11-28 08:17 14088]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 18:12 107112]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-11-28 07:34 134808]
"PINGER"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2006-07-20 16:45 151552]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-01-09 04:31 959976]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]
"iolo Startup"="C:\Program Files\iolo\Common\Lib\ioloLManager.exe" [2008-05-06 08:58 307568]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-15 18:13 185632]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 20:13 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 20:13 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 20:13 133656]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-11 17:53 5296128 C:\Windows\RtHDVCpl.exe]

C:\Users\Kyle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Belkin Network USB Hub Control Center.lnk - C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe [2008-03-21 21:02:01 790609]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 23:24:38 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-01-31 15:00 79368 C:\Windows\System32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=KATRACK.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
--a------ 2006-12-15 19:59 530552 C:\Program Files\Toshiba\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cafwc]
--a------ 2008-05-22 02:50 1193224 C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2007-12-29 08:05 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a------ 2005-12-16 06:41 188416 C:\Program Files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2006-12-11 21:45 448632 C:\Program Files\Toshiba\SmoothView\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3828028985-627414594-974731854-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{DBAF5C7D-25E8-479E-83A9-AF8215ABEBF6}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{5F820C8A-A04E-4661-98AE-7844B4B690F2}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"TCP Query User{25D0FE1A-06C5-45C7-A28F-DA2AAFCB0446}C:\\program files\\miranda im\\miranda32.exe"= UDP:C:\program files\miranda im\miranda32.exe:Miranda IM
"UDP Query User{F9AAB84B-2E7F-47F4-B48F-1ACDF11B9C63}C:\\program files\\miranda im\\miranda32.exe"= TCP:C:\program files\miranda im\miranda32.exe:Miranda IM
"TCP Query User{7744309A-A088-49A8-AC66-93F637B6AC67}C:\\program files\\miranda im\\miranda32.exe"= UDP:C:\program files\miranda im\miranda32.exe:Miranda IM
"UDP Query User{5A46F49D-7729-4EF1-9E4E-3C16632988BA}C:\\program files\\miranda im\\miranda32.exe"= TCP:C:\program files\miranda im\miranda32.exe:Miranda IM
"{1FD76A42-5FC2-4BE1-B5E6-3D550D86E2E0}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{5406EC23-072A-4578-A364-C6682884E7D5}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{A03FEA9F-3A02-4379-8B80-6A8CF67A1D0D}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{D320FD00-46E1-47BF-BDE4-8BCE5294E83C}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{8436861D-17F4-4116-B895-C78A2C4CCAC1}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{25F3F80C-E52E-4F55-AEB5-59CA30BC672B}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{25A64441-802D-4D5E-9D46-A5707026A8FB}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{0E650028-0E85-4AF8-827D-4099A747AD1A}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{4817F3C8-E0FC-4E8E-81B7-BE32C14BE1E5}"= UDP:C:\Program Files\Microsoft Games\Age of Empires III\age3x.exe:Age of Empires III - The WarChiefs
"{4724694F-6DB9-4F39-883E-0D7CF4EAAA46}"= TCP:C:\Program Files\Microsoft Games\Age of Empires III\age3x.exe:Age of Empires III - The WarChiefs
"{A97E2FEF-EB71-4E65-92F5-067F56114D84}"= UDP:C:\Program Files\Microsoft Games\Age of Empires III\age3y.exe:Age of Empires III - The Asian Dynasties
"{4F3ED503-588B-422C-ACED-2CD774957EC5}"= TCP:C:\Program Files\Microsoft Games\Age of Empires III\age3y.exe:Age of Empires III - The Asian Dynasties

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R0 KmxFw;KmxFw;C:\Windows\system32\DRIVERS\kmxfw.sys [2007-10-18 14:28]
R1 KmxAgent;KmxAgent;C:\Windows\system32\DRIVERS\kmxagent.sys [2007-03-21 19:49]
R1 KmxFile;KmxFile;C:\Windows\system32\DRIVERS\KmxFile.sys [2007-03-16 04:39]
R1 KmxFilter;HIPS Core Filter Driver;C:\Windows\system32\DRIVERS\KmxFilter.sys [2007-10-18 10:46]
R2 KmxCF;KmxCF;C:\Windows\system32\DRIVERS\KmxCF.sys [2007-10-18 10:46]
R2 KmxSbx;KmxSbx;C:\Windows\system32\DRIVERS\KmxSbx.sys [2007-11-02 04:54]
R2 NTIOWP;NTIOWP;C:\Windows\system32\drivers\NTIOWP.sys [2001-04-29 20:39]
R3 KmxCfg;KmxCfg;C:\Windows\system32\DRIVERS\kmxcfg.sys [2007-09-12 12:02]
S3 LTXMD_VAC;Litex Media Virtual Audio Cabel (WDM);C:\Windows\system32\drivers\lmvac.sys [2008-04-28 21:27]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1eab8f52-c138-11dc-bdc0-0016d4fc3df5}]
\shell\AutoRun\command - F:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d008b31-a32e-11dc-b5af-0016d4fc3df5}]
\shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af8d580e-a8f1-11dc-a0c7-0016d4fc3df5}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c22cf7b3-9d4f-11dc-97dc-0016d4fc3df5}]
\shell\AutoRun\command - I:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c22cf7b6-9d4f-11dc-97dc-0016d4fc3df5}]
\shell\AutoRun\command - H:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-25 01:16:18 C:\Windows\Tasks\CAAntiSpywareScan_Daily as Kyle at 8 15 PM.job"
??
? ??\- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RegistryMechanic - (no file)
MSConfigStartUp-NDSTray - NDSTray.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 10:18:59
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Users\Kyle\AppData\Local\Temp\lucene-d346facdf1c5883d3d3f0474658ad49b-commit.lock

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\System32\IoctlSvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\System32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccClient.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\winsxs\x86_microsoft-windows-r..bilityanalysisagent_31bf3856ad364e35_6.0.6001.18000_none_26c0a2eaa039cb7f\RacAgent.exe
.
**************************************************************************
.
Completion time: 2008-07-09 10:33:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-09 14:30:10

Pre-Run: 7,260,893,184 bytes free
Post-Run: 5,719,687,168 bytes free

318 --- E O F --- 2008-07-07 20:31:48

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:24 PM

Posted 10 July 2008 - 03:59 AM

Hello Commie,

Looks already a lot better. :thumbsup:

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/156274/vundo-and-possible-other-infections/
Suspect::[4]
C:\Windows\system32\vspubapi.dll
Folder::
C:\VundoFix Backups

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

When CF finishes running, the ComboFix log will open along with a message box, --do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file [4]-Submit_Date_Time.zip.

Are you still having problems ?

Greetings,
Thunder

Edited by Thunder, 10 July 2008 - 04:01 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Commie

Commie
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 10 July 2008 - 08:18 AM

The vspubapi file is part of my ZoneAlarm Firewall client which is no longer able to run. I receive and error message upon log-in that says the file is not meant to run or may be corrupted and that I should reinstall the software or ask for technical support. Other than that, everything seems to be running normal.

ComboFix 08-07-08.7 - Kyle 2008-07-10 8:28:18.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.175 [GMT -4:00]
Running from: C:\Users\Kyle\Desktop\ComboFix.exe
Command switches used :: C:\Users\Kyle\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\byXNeDVo.dll.bad
C:\VundoFix Backups\ddcCuSIY.dll.bad
C:\VundoFix Backups\SAbLoUvw.ini.bad
C:\VundoFix Backups\SAbLoUvw.ini2.bad
C:\VundoFix Backups\wvUoLbAS.dll.bad
C:\VundoFix Backups\YISuCcdd.ini.bad
C:\VundoFix Backups\YISuCcdd.ini2.bad
C:\Windows\system32\vspubapi.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-06-10 to 2008-07-10 )))))))))))))))))))))))))))))))
.

2008-07-10 05:28 . 2008-07-10 05:29 <DIR> d-------- C:\Windows\SQLTools9_KB948109_ENU
2008-07-10 03:37 . 2008-07-10 03:39 <DIR> d-------- C:\Windows\SQL9_KB948109_ENU
2008-07-09 22:07 . 2008-07-09 22:07 <DIR> d-------- C:\Program Files\Bodrag
2008-07-09 10:42 . 2008-04-26 04:25 3,600,952 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-07-09 10:42 . 2008-04-26 04:25 3,549,240 --a------ C:\Windows\System32\ntoskrnl.exe
2008-07-09 10:42 . 2008-04-26 04:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-07-09 10:42 . 2008-04-11 23:32 784,896 --a------ C:\Windows\System32\rpcrt4.dll
2008-07-09 10:42 . 2008-05-09 23:35 564,736 --a------ C:\Windows\System32\emdmgmt.dll
2008-07-09 10:42 . 2008-04-04 21:21 72,192 --a------ C:\Windows\System32\drivers\pacer.sys
2008-07-09 10:42 . 2008-04-04 23:34 15,360 --a------ C:\Windows\System32\pacerprf.dll
2008-07-09 10:41 . 2008-05-08 17:59 430,080 --a------ C:\Windows\System32\vbscript.dll
2008-07-09 10:41 . 2008-05-08 17:59 180,224 --a------ C:\Windows\System32\scrobj.dll
2008-07-09 10:41 . 2008-05-08 17:59 172,032 --a------ C:\Windows\System32\scrrun.dll
2008-07-09 10:41 . 2008-05-08 17:59 155,648 --a------ C:\Windows\System32\wscript.exe
2008-07-09 10:41 . 2008-05-08 17:58 135,168 --a------ C:\Windows\System32\wshom.ocx
2008-07-09 10:41 . 2008-05-08 17:58 135,168 --a------ C:\Windows\System32\cscript.exe
2008-07-09 10:41 . 2008-05-08 17:59 90,112 --a------ C:\Windows\System32\wshext.dll
2008-07-06 18:24 . 2008-07-06 18:24 <DIR> d-------- C:\Users\All Users\WindowsSearch
2008-07-06 18:24 . 2008-07-06 18:24 <DIR> d-------- C:\ProgramData\WindowsSearch
2008-07-06 06:40 . 2008-07-06 19:37 <DIR> d-------- C:\Program Files\MagicISO
2008-07-04 11:37 . 2008-07-04 11:49 94,208 --a------ C:\Windows\ScUnin.exe
2008-07-04 11:37 . 2008-07-04 11:49 34,693 --a------ C:\Windows\scunin.dat
2008-07-04 11:37 . 2008-07-04 11:49 967 --a------ C:\Windows\ScUnin.pif
2008-07-04 11:36 . 2008-07-07 06:19 <DIR> d-------- C:\Program Files\Starcraft
2008-07-03 17:13 . 2008-07-03 17:13 <DIR> d-------- C:\tmp
2008-07-02 17:29 . 2008-07-02 17:29 <DIR> d-------- C:\Program Files\Firaxis Games
2008-07-01 22:58 . 2008-07-01 22:58 <DIR> d-------- C:\Users\All Users\Innovative Solutions
2008-07-01 22:58 . 2008-07-01 22:58 <DIR> d-------- C:\ProgramData\Innovative Solutions
2008-07-01 22:57 . 2008-07-01 22:57 <DIR> d-------- C:\Program Files\Innovative Solutions
2008-07-01 22:57 . 2006-11-22 12:35 42,496 --a------ C:\Windows\System32\AdvUninstCPL.cpl
2008-07-01 13:53 . 2008-07-02 18:32 737,280 --a------ C:\Windows\iun6002.exe
2008-07-01 08:25 . 2004-08-18 04:34 442,368 -ra------ C:\Windows\System32\vp6vfw.dll
2008-06-27 15:25 . <DIR> C:\Users\Kyle\AppData\Roaming\NeroDigitalT
2008-06-24 22:16 . 2008-07-10 05:02 <DIR> d-------- C:\Users\All Users\Google Updater
2008-06-24 22:16 . 2008-07-10 05:02 <DIR> d-------- C:\ProgramData\Google Updater
2008-06-23 10:55 . 2008-07-06 19:37 <DIR> d-------- C:\Program Files\bobyte
2008-06-23 10:39 . 2008-06-23 10:39 356,352 --a------ C:\Windows\eSellerateEngine.dll
2008-06-23 10:29 . 2008-07-06 19:37 <DIR> d-------- C:\Program Files\Deskshare
2008-06-23 10:29 . 2008-07-06 19:37 <DIR> d-------- C:\Program Files\Common Files\DeskShare Shared
2008-06-23 10:29 . 2004-12-07 10:11 258,352 --a------ C:\Windows\System32\Unicows.dll
2008-06-15 13:06 . 2008-04-23 00:42 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-06-15 13:06 . 2008-04-23 00:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-06-15 13:06 . 2008-04-23 00:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-15 13:06 . 2008-04-23 00:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-15 12:57 . 2008-05-09 21:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-06-15 12:56 . 2008-04-24 22:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-06-15 12:56 . 2008-05-09 23:35 885,248 --a------ C:\Windows\System32\RacEngn.dll
2008-06-15 12:56 . 2008-04-25 00:35 826,880 --a------ C:\Windows\System32\wininet.dll
2008-06-15 12:56 . 2008-05-09 18:22 9,127 --a------ C:\Windows\System32\RacUR.xml
2008-06-15 12:56 . 2008-05-09 18:22 153 --a------ C:\Windows\System32\RacUREx.xml
2008-06-15 12:53 . 2008-04-26 04:08 1,314,816 --a------ C:\Windows\System32\quartz.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-10 12:44 352,614 ---ha-w C:\Windows\system32\drivers\vsconfig.xml
2008-07-10 12:38 707,844 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k0
2008-07-10 12:38 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k7
2008-07-10 12:38 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k6
2008-07-10 12:38 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k5
2008-07-10 12:38 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k4
2008-07-10 12:38 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k3
2008-07-10 12:38 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k2
2008-07-10 12:38 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k1
2008-07-10 12:13 --------- d-----w C:\Program Files\Windows Mail
2008-07-10 12:08 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-10 12:04 --------- d-----w C:\Users\Kyle\AppData\Roaming\uTorrent
2008-07-10 09:52 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-10 05:07 --------- d-----w C:\Users\Kyle\AppData\Roaming\.purple
2008-07-09 13:14 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-09 05:10 --------- d-----w C:\Users\Kyle\AppData\Roaming\gtk-2.0
2008-07-08 16:51 --------- d-----w C:\Users\Kyle\AppData\Roaming\dvdcss
2008-07-07 21:35 34,296 ----a-w C:\Windows\system32\drivers\mbamcatchme.sys
2008-07-07 21:35 17,144 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-07-07 10:19 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-07-06 23:37 --------- d-----w C:\Program Files\AviSynth 2.5
2008-07-05 22:13 352,614 ---ha-w C:\Windows\system32\drivers\vsconfig(206).xml
2008-07-04 11:40 --------- d-----w C:\Program Files\uTorrent
2008-07-02 22:27 --------- d-----w C:\Program Files\EA GAMES
2008-07-02 21:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-01 07:36 --------- d---a-w C:\ProgramData\TEMP
2008-06-27 19:25 --------- d-----w C:\Users\Kyle\AppData\Roaming\NeroDigital™
2008-06-25 02:18 --------- d-----w C:\Program Files\Google
2008-06-23 14:54 --------- d-----w C:\Program Files\DivX
2008-06-23 04:48 --------- d-----w C:\Program Files\Common Files\Nero
2008-06-23 04:44 --------- d-----w C:\ProgramData\Nero
2008-06-07 09:32 --------- d-----w C:\Program Files\myFairTunes
2008-06-06 08:37 --------- d-----w C:\Program Files\RocketDock
2008-06-02 02:56 --------- d-----w C:\Program Files\dvdSanta
2008-06-01 06:45 --------- d-----w C:\Program Files\Image-Line
2008-06-01 06:37 --------- d-----w C:\Program Files\Steinberg
2008-06-01 01:19 --------- d-----w C:\Program Files\Activision
2008-05-31 23:03 --------- d-----w C:\Users\Kyle\AppData\Roaming\Astroburn
2008-05-31 22:41 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-05-31 22:41 --------- d-----w C:\Program Files\Astroburn
2008-05-28 00:18 --------- d-----w C:\Users\Kyle\AppData\Roaming\LimeWire
2008-05-19 18:06 --------- d-----w C:\Users\Kyle\AppData\Roaming\Malwarebytes
2008-05-19 18:06 --------- d-----w C:\ProgramData\Malwarebytes
2008-05-17 09:30 --------- d-----w C:\ProgramData\Kaspersky Lab
2008-05-17 09:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-17 09:10 --------- d-----w C:\Program Files\Trend Micro
2008-05-15 22:14 --------- d-----w C:\Program Files\Common Files\xing shared
2008-05-15 22:14 --------- d-----w C:\Program Files\Common Files\Real
2008-05-15 22:13 --------- d-----w C:\Program Files\Real
2008-05-15 00:56 --------- d-----w C:\ProgramData\iolo
2008-05-15 00:56 --------- d-----w C:\Program Files\iolo
2008-05-14 18:40 --------- d-----w C:\Program Files\Avi2Dvd
2008-05-12 22:24 --------- d-----w C:\Users\Kyle\AppData\Roaming\Microsoft Games
2008-05-12 22:16 --------- d-----w C:\ProgramData\RapidSolution
2008-05-12 22:00 --------- d-----w C:\Program Files\Microsoft Games
2008-04-19 12:49 174 --sha-w C:\Program Files\desktop.ini
2008-03-16 08:37 0 ----a-w C:\Users\Kyle\AppData\Roaming\wklnhst.dat
2008-01-24 16:58 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-01-05 23:16 262,144 ----a-w C:\ProgramData\ntuser.dat
2008-01-08 01:08 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-01-08 01:08 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-01-08 01:08 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-11-28 20:20 23 --sha-w C:\Windows\System32\aefcae_r.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-09_10.27.58.72 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-09 14:17:59 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-07-10 12:43:55 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-05-14 07:09:40 1,165,584 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-07-10 12:08:34 1,165,584 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-05-14 07:09:41 20,240 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-07-10 12:08:35 20,240 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-05-14 07:09:40 159,504 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-07-10 12:08:34 159,504 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-05-14 07:09:40 184,080 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-07-10 12:08:35 184,080 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-05-14 07:09:41 217,864 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-07-10 12:08:35 217,864 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-05-14 07:09:41 18,704 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-07-10 12:08:35 18,704 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-05-14 07:09:41 35,088 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-07-10 12:08:36 35,088 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-05-14 07:09:40 845,584 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-07-10 12:08:35 845,584 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-05-14 07:09:41 922,384 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-07-10 12:08:35 922,384 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-05-14 07:09:41 272,648 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-07-10 12:08:35 272,648 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-05-14 07:09:41 888,080 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-07-10 12:08:35 888,080 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-05-14 07:09:40 1,172,240 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-07-10 12:08:34 1,172,240 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-07-10 12:43:57 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-07-10 12:43:57 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-07-09 14:18:39 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-07-10 12:44:50 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-07-09 14:18:38 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-07-10 12:44:43 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2007-02-10 09:09:12 127,856 ----a-w C:\Windows\SQL9_KB948109_ENU\batchparser90.dll
+ 2007-02-10 09:09:20 1,039,728 ----a-w C:\Windows\SQL9_KB948109_ENU\dbghelp.dll
+ 2007-02-10 09:15:30 1,160,560 ----a-w C:\Windows\SQL9_KB948109_ENU\dumpdatastore.dll
+ 2008-02-27 02:08:46 2,501,648 ----a-w C:\Windows\SQL9_KB948109_ENU\hotfix.exe
+ 2005-10-14 03:26:42 548,864 ----a-w C:\Windows\SQL9_KB948109_ENU\msvcp80.dll
+ 2005-10-14 03:26:42 626,688 ----a-w C:\Windows\SQL9_KB948109_ENU\msvcr80.dll
+ 2007-02-10 09:29:52 143,728 ----a-w C:\Windows\SQL9_KB948109_ENU\sqlcmd.exe
+ 2007-02-10 09:29:52 533,872 ----a-w C:\Windows\SQL9_KB948109_ENU\sqldiscoveryapi.dll
+ 2007-02-10 09:29:54 230,256 ----a-w C:\Windows\SQL9_KB948109_ENU\sqlsetupvista.dll
+ 2007-02-10 09:09:12 127,856 ----a-w C:\Windows\SQLTools9_KB948109_ENU\batchparser90.dll
+ 2007-02-10 09:09:20 1,039,728 ----a-w C:\Windows\SQLTools9_KB948109_ENU\dbghelp.dll
+ 2007-02-10 09:15:30 1,160,560 ----a-w C:\Windows\SQLTools9_KB948109_ENU\dumpdatastore.dll
+ 2008-02-27 02:08:46 2,501,648 ----a-w C:\Windows\SQLTools9_KB948109_ENU\hotfix.exe
+ 2005-10-14 03:26:42 548,864 ----a-w C:\Windows\SQLTools9_KB948109_ENU\msvcp80.dll
+ 2005-10-14 03:26:42 626,688 ----a-w C:\Windows\SQLTools9_KB948109_ENU\msvcr80.dll
+ 2007-02-10 09:29:52 143,728 ----a-w C:\Windows\SQLTools9_KB948109_ENU\sqlcmd.exe
+ 2007-02-10 09:29:52 533,872 ----a-w C:\Windows\SQLTools9_KB948109_ENU\sqldiscoveryapi.dll
+ 2007-02-10 09:29:54 230,256 ----a-w C:\Windows\SQLTools9_KB948109_ENU\sqlsetupvista.dll
- 2008-07-09 14:18:08 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-07-10 12:44:11 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-07-09 14:18:08 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-10 12:44:11 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-09 14:18:08 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-07-10 12:44:11 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-19 07:34:35 512,000 ----a-w C:\Windows\System32\jscript.dll
+ 2008-05-08 21:59:28 512,000 ----a-w C:\Windows\System32\jscript.dll
- 2008-01-19 07:36:10 11,580,416 ----a-w C:\Windows\System32\shell32.dll
+ 2008-04-24 04:58:20 11,580,416 ----a-w C:\Windows\System32\shell32.dll
- 2008-06-26 07:04:01 6,553,600 ----a-w C:\Windows\System32\SMI\Store\Machine\schema.dat
+ 2008-07-10 12:42:12 6,553,600 ----a-w C:\Windows\System32\SMI\Store\Machine\schema.dat
- 2008-07-09 14:21:40 12,960 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3828028985-627414594-974731854-1000_UserData.bin
+ 2008-07-10 12:46:20 12,968 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3828028985-627414594-974731854-1000_UserData.bin
- 2008-07-09 14:21:39 85,218 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-07-10 12:46:19 85,396 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-07-07 06:45:15 79,164 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-07-10 12:46:09 79,458 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-06-26 07:03:50 121,476,326 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-07-09 14:40:58 124,607,323 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-05-10 03:35:15 564,736 ----a-w C:\Windows\winsxs\x86_microsoft-windows-e..emorydevicesservice_31bf3856ad364e35_6.0.6001.18069_none_9e540f60f6e2ecf1\emdmgmt.dll
+ 2008-05-10 03:17:36 564,736 ----a-w C:\Windows\winsxs\x86_microsoft-windows-e..emorydevicesservice_31bf3856ad364e35_6.0.6001.22176_none_9ecfdb62100b5ca7\emdmgmt.dll
+ 2008-05-28 03:27:17 223,288 ----a-w C:\Windows\winsxs\x86_microsoft-windows-netio-infrastructure_31bf3856ad364e35_6.0.6001.22188_none_56d68c90cea4d169\netio.sys
+ 2008-05-28 03:17:25 328,704 ----a-w C:\Windows\winsxs\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.22188_none_cd5f8fa443e22213\BFE.DLL
+ 2008-05-28 03:28:43 101,432 ----a-w C:\Windows\winsxs\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.22188_none_cd5f8fa443e22213\FWPKCLNT.SYS
+ 2008-05-28 03:19:07 595,456 ----a-w C:\Windows\winsxs\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.22188_none_cd5f8fa443e22213\FWPUCLNT.DLL
+ 2008-05-28 03:19:32 438,272 ----a-w C:\Windows\winsxs\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.22188_none_cd5f8fa443e22213\IKEEXT.DLL
+ 2008-06-09 22:40:17 2,413,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16699_none_f0498ecc6e94a1be\OESpamFilter.dat
+ 2008-06-09 22:37:40 2,413,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.20855_none_f0fa6c058795698f\OESpamFilter.dat
+ 2008-06-11 00:28:21 2,413,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.18088_none_f2399d146bb3fd67\OESpamFilter.dat
+ 2008-06-09 22:36:23 2,413,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.22200_none_f311b8d58497f018\OESpamFilter.dat
+ 2008-04-26 08:25:53 3,600,952 ----a-w C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6001.18063_none_6bf282f6b4510613\ntkrnlpa.exe
+ 2008-04-26 08:25:54 3,549,240 ----a-w C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6001.18063_none_6bf282f6b4510613\ntoskrnl.exe
+ 2008-04-26 08:11:34 3,601,464 ----a-w C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6001.22167_none_6c8020e9cd6b0b39\ntkrnlpa.exe
+ 2008-04-26 08:11:33 3,549,240 ----a-w C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6001.22167_none_6c8020e9cd6b0b39\ntoskrnl.exe
+ 2008-04-05 01:21:42 72,192 ----a-w C:\Windows\winsxs\x86_microsoft-windows-qos_31bf3856ad364e35_6.0.6001.18046_none_ae262a9c57bfa9b1\pacer.sys
+ 2008-04-05 03:34:31 15,360 ----a-w C:\Windows\winsxs\x86_microsoft-windows-qos_31bf3856ad364e35_6.0.6001.18046_none_ae262a9c57bfa9b1\pacerprf.dll
+ 2006-11-02 09:46:13 33,280 ----a-w C:\Windows\winsxs\x86_microsoft-windows-qos_31bf3856ad364e35_6.0.6001.18046_none_ae262a9c57bfa9b1\traffic.dll
+ 2006-11-02 09:46:14 13,824 ----a-w C:\Windows\winsxs\x86_microsoft-windows-qos_31bf3856ad364e35_6.0.6001.18046_none_ae262a9c57bfa9b1\wshqos.dll
+ 2008-04-05 01:20:52 72,192 ----a-w C:\Windows\winsxs\x86_microsoft-windows-qos_31bf3856ad364e35_6.0.6001.22151_none_ae9ff60970e9e6b9\pacer.sys
+ 2008-04-05 03:20:42 15,360 ----a-w C:\Windows\winsxs\x86_microsoft-windows-qos_31bf3856ad364e35_6.0.6001.22151_none_ae9ff60970e9e6b9\pacerprf.dll
+ 2008-04-05 03:21:19 33,280 ----a-w C:\Windows\winsxs\x86_microsoft-windows-qos_31bf3856ad364e35_6.0.6001.22151_none_ae9ff60970e9e6b9\traffic.dll
+ 2008-04-05 03:21:39 13,824 ----a-w C:\Windows\winsxs\x86_microsoft-windows-qos_31bf3856ad364e35_6.0.6001.22151_none_ae9ff60970e9e6b9\wshqos.dll
+ 2008-04-12 03:32:11 784,896 ----a-w C:\Windows\winsxs\x86_microsoft-windows-rpc-local_31bf3856ad364e35_6.0.6001.18051_none_b3c58fc5453bf46b\rpcrt4.dll
+ 2008-04-12 03:16:32 784,896 ----a-w C:\Windows\winsxs\x86_microsoft-windows-rpc-local_31bf3856ad364e35_6.0.6001.22156_none_b4542e025e5512e8\rpcrt4.dll
+ 2008-05-08 21:59:35 90,112 ----a-w C:\Windows\winsxs\x86_microsoft-windows-s..ing-shell-extension_31bf3856ad364e35_6.0.6001.18068_none_0a48f9ec246cf834\wshext.dll
+ 2008-05-08 05:22:33 90,112 ----a-w C:\Windows\winsxs\x86_microsoft-windows-s..ing-shell-extension_31bf3856ad364e35_6.0.6001.22175_none_0ac4c5ed3d9567ea\wshext.dll
+ 2008-05-08 21:59:28 512,000 ----a-w C:\Windows\winsxs\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_6.0.6001.18068_none_82a70b5ef74dc96b\jscript.dll
+ 2008-05-08 05:18:59 512,000 ----a-w C:\Windows\winsxs\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_6.0.6001.22175_none_8322d76010763921\jscript.dll
+ 2008-05-08 21:59:33 430,080 ----a-w C:\Windows\winsxs\x86_microsoft-windows-scripting-vbscript_31bf3856ad364e35_6.0.6001.18068_none_482126172e1075a7\vbscript.dll
+ 2008-05-08 05:22:13 430,080 ----a-w C:\Windows\winsxs\x86_microsoft-windows-scripting-vbscript_31bf3856ad364e35_6.0.6001.22175_none_489cf2184738e55d\vbscript.dll
+ 2008-05-08 21:58:40 135,168 ----a-w C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.0.6001.18068_none_482f75de008363d9\cscript.exe
+ 2008-01-19 07:34:04 32,768 ----a-w C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.0.6001.18068_none_482f75de008363d9\dispex.dll
+ 2008-05-08 21:59:32 180,224 ----a-w C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.0.6001.18068_none_482f75de008363d9\scrobj.dll
+ 2008-05-08 21:59:32 172,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.0.6001.18068_none_482f75de008363d9\scrrun.dll
+ 2008-05-08 21:59:26 155,648 ----a-w C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.0.6001.18068_none_482f75de008363d9\wscript.exe
+ 2008-01-19 07:37:11 36,864 ----a-w C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.0.6001.18068_none_482f75de008363d9\wshcon.dll
+ 2008-05-08 03:12:11 135,168 ----a-w C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.0.6001.22175_none_48ab41df19abd38f\cscript.exe
+ 2008-05-08 05:17:02 32,768 ----a-w C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.0.6001.22175_none_48ab41df19abd38f\dispex.dll
+ 2008-05-08 05:21:52 180,224 ----a-w C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.0.6001.22175_none_48ab41df19abd38f\scrobj.dll
+ 2008-05-08 05:21:52 172,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.0.6001.22175_none_48ab41df19abd38f\scrrun.dll
+ 2008-05-08 03:12:11 155,648 ----a-w C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.0.6001.22175_none_48ab41df19abd38f\wscript.exe
+ 2008-05-08 05:22:33 36,864 ----a-w C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.0.6001.22175_none_48ab41df19abd38f\wshcon.dll
+ 2008-04-24 04:51:39 11,315,712 ----a-w C:\Windows\winsxs\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6000.16680_none_69ec6cd815163c56\shell32.dll
+ 2008-04-24 04:40:28 11,319,808 ----a-w C:\Windows\winsxs\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6000.20822_none_6ab8eba52e01644f\shell32.dll
+ 2008-04-24 04:58:20 11,580,416 ----a-w C:\Windows\winsxs\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6001.18062_none_6bea4bea122ac813\shell32.dll
+ 2008-04-24 04:45:45 11,581,440 ----a-w C:\Windows\winsxs\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6001.22166_none_6c77e9dd2b44cd39\shell32.dll
+ 2008-04-26 08:26:49 891,448 ----a-w C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18063_none_b2e033a8669434a1\tcpip.sys
+ 2008-04-26 08:08:16 891,448 ----a-w C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22167_none_b36dd19b7fae39c7\tcpip.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 03:33 125952]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 13:58 495616]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 03:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-03 10:51 1045800]
"HWSetup"="C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 12:06 413696]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-01-18 20:06 421888]
"KeyAccess"="C:\Windows\keyacc32.exe" [2007-06-08 14:00 749568]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-11-27 21:42 177416]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-05-22 02:50 173320]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 07:00 204800]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-11-28 08:17 14088]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 18:12 107112]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-11-28 07:34 134808]
"PINGER"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2006-07-20 16:45 151552]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-01-09 04:31 959976]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]
"iolo Startup"="C:\Program Files\iolo\Common\Lib\ioloLManager.exe" [2008-05-06 08:58 307568]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-15 18:13 185632]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 20:13 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 20:13 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 20:13 133656]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-11 17:53 5296128 C:\Windows\RtHDVCpl.exe]

C:\Users\Kyle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Belkin Network USB Hub Control Center.lnk - C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe [2008-03-21 21:02:01 790609]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 23:24:38 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-01-31 15:00 79368 C:\Windows\System32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
--a------ 2006-12-15 19:59 530552 C:\Program Files\Toshiba\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cafwc]
--a------ 2008-05-22 02:50 1193224 C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2007-12-29 08:05 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a------ 2005-12-16 06:41 188416 C:\Program Files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2006-12-11 21:45 448632 C:\Program Files\Toshiba\SmoothView\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3828028985-627414594-974731854-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{DBAF5C7D-25E8-479E-83A9-AF8215ABEBF6}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{5F820C8A-A04E-4661-98AE-7844B4B690F2}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"TCP Query User{25D0FE1A-06C5-45C7-A28F-DA2AAFCB0446}C:\\program files\\miranda im\\miranda32.exe"= UDP:C:\program files\miranda im\miranda32.exe:Miranda IM
"UDP Query User{F9AAB84B-2E7F-47F4-B48F-1ACDF11B9C63}C:\\program files\\miranda im\\miranda32.exe"= TCP:C:\program files\miranda im\miranda32.exe:Miranda IM
"TCP Query User{7744309A-A088-49A8-AC66-93F637B6AC67}C:\\program files\\miranda im\\miranda32.exe"= UDP:C:\program files\miranda im\miranda32.exe:Miranda IM
"UDP Query User{5A46F49D-7729-4EF1-9E4E-3C16632988BA}C:\\program files\\miranda im\\miranda32.exe"= TCP:C:\program files\miranda im\miranda32.exe:Miranda IM
"{1FD76A42-5FC2-4BE1-B5E6-3D550D86E2E0}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{5406EC23-072A-4578-A364-C6682884E7D5}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{A03FEA9F-3A02-4379-8B80-6A8CF67A1D0D}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{D320FD00-46E1-47BF-BDE4-8BCE5294E83C}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{8436861D-17F4-4116-B895-C78A2C4CCAC1}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{25F3F80C-E52E-4F55-AEB5-59CA30BC672B}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{25A64441-802D-4D5E-9D46-A5707026A8FB}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{0E650028-0E85-4AF8-827D-4099A747AD1A}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{4817F3C8-E0FC-4E8E-81B7-BE32C14BE1E5}"= UDP:C:\Program Files\Microsoft Games\Age of Empires III\age3x.exe:Age of Empires III - The WarChiefs
"{4724694F-6DB9-4F39-883E-0D7CF4EAAA46}"= TCP:C:\Program Files\Microsoft Games\Age of Empires III\age3x.exe:Age of Empires III - The WarChiefs
"{A97E2FEF-EB71-4E65-92F5-067F56114D84}"= UDP:C:\Program Files\Microsoft Games\Age of Empires III\age3y.exe:Age of Empires III - The Asian Dynasties
"{4F3ED503-588B-422C-ACED-2CD774957EC5}"= TCP:C:\Program Files\Microsoft Games\Age of Empires III\age3y.exe:Age of Empires III - The Asian Dynasties

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R0 KmxFw;KmxFw;C:\Windows\system32\DRIVERS\kmxfw.sys [2007-10-18 14:28]
R1 KmxAgent;KmxAgent;C:\Windows\system32\DRIVERS\kmxagent.sys [2007-03-21 19:49]
R1 KmxFile;KmxFile;C:\Windows\system32\DRIVERS\KmxFile.sys [2007-03-16 04:39]
R1 KmxFilter;HIPS Core Filter Driver;C:\Windows\system32\DRIVERS\KmxFilter.sys [2007-10-18 10:46]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 12:31]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 12:31]
R2 KmxCF;KmxCF;C:\Windows\system32\DRIVERS\KmxCF.sys [2007-10-18 10:46]
R2 KmxSbx;KmxSbx;C:\Windows\system32\DRIVERS\KmxSbx.sys [2007-11-02 04:54]
R2 NTIOWP;NTIOWP;C:\Windows\system32\drivers\NTIOWP.sys [2001-04-29 20:39]
R2 sxuptp;SXUPTP Driver;C:\Windows\system32\DRIVERS\sxuptp.sys [2007-07-26 23:03]
R3 KmxCfg;KmxCfg;C:\Windows\system32\DRIVERS\kmxcfg.sys [2007-09-12 12:02]
S3 LTXMD_VAC;Litex Media Virtual Audio Cabel (WDM);C:\Windows\system32\drivers\lmvac.sys [2008-04-28 21:27]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2008-01-19 01:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1eab8f52-c138-11dc-bdc0-0016d4fc3df5}]
\shell\AutoRun\command - F:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d008b31-a32e-11dc-b5af-0016d4fc3df5}]
\shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af8d580e-a8f1-11dc-a0c7-0016d4fc3df5}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c22cf7b3-9d4f-11dc-97dc-0016d4fc3df5}]
\shell\AutoRun\command - I:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c22cf7b6-9d4f-11dc-97dc-0016d4fc3df5}]
\shell\AutoRun\command - H:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-25 01:16:18 C:\Windows\Tasks\CAAntiSpywareScan_Daily as Kyle at 8 15 PM.job"
??
? ??\- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-10 08:45:18
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\System32\IoctlSvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\System32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccClient.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\wercon.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Internet Explorer\ieuser.exe
.
**************************************************************************
.
Completion time: 2008-07-10 8:57:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-10 12:56:50
ComboFix2.txt 2008-07-09 14:33:54

The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 9,067,671,552 bytes free

466 --- E O F --- 2008-07-10 12:11:33


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:17, on 2008-07-10
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Windows\system32\CF32070.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [KeyAccess] C:\Windows\keyacc32.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Belkin Network USB Hub Control Center.lnk = C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUICECooLSrv.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 12509 bytes

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:24 PM

Posted 11 July 2008 - 04:15 AM

Hello Commie,

I see you're running the CA Personal Firewall as well ?
Don't you think that's somewhat overkill ?

If you decide to keep the ZoneAlarm firewall installed,
try this first :

Delete your present version of ComboFix.exe from your Desktop.
Download the latest version and save it back to your Desktop.

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:FCopy::
C:\QooBox\Quarantine\C\Windows\System32\vspubapi.dll.vir | C:\Windows\System32\vspubapi.dll

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply.
Check if ZA firewall is operational again.

If you decide to stick to 1 active firewall (most advisable option), please remove the other one through Control Panel > Software from the Software list.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 Commie

Commie
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 11 July 2008 - 08:56 AM

ZA Firewall still gives me the same error as before. And just as a note, I have the CA Firewall disabled and it has been for some time. If it's necessary for me to uninstall it completely then please let me know and I'll proceed to do so. I have the last CF log but I'll be away from my computer for the weekend and I won't be able to respond to anything for the next 2 or 3 days. Thanks again for your continued help.


ComboFix 08-07-10.1 - Kyle 2008-07-11 9:28:40.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.272 [GMT -4:00]
Running from: C:\Users\Kyle\Desktop\ComboFix.exe
Command switches used :: C:\Users\Kyle\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2008-06-11 to 2008-07-11 )))))))))))))))))))))))))))))))
.

2008-07-11 01:49 . 2008-07-11 01:58 <DIR> d-------- C:\Program Files\Maketorrent 2
2008-07-10 09:50 . 2008-07-10 09:50 <DIR> d-------- C:\Program Files\Haali
2008-07-10 09:49 . 2008-07-10 09:49 <DIR> d-------- C:\Program Files\CoreCodec
2008-07-10 05:28 . 2008-07-10 05:29 <DIR> d-------- C:\Windows\SQLTools9_KB948109_ENU
2008-07-10 03:37 . 2008-07-10 03:39 <DIR> d-------- C:\Windows\SQL9_KB948109_ENU
2008-07-09 22:07 . 2008-07-09 22:07 <DIR> d-------- C:\Program Files\Bodrag
2008-07-09 10:42 . 2008-04-26 04:25 3,600,952 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-07-09 10:42 . 2008-04-26 04:25 3,549,240 --a------ C:\Windows\System32\ntoskrnl.exe
2008-07-09 10:42 . 2008-04-26 04:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-07-09 10:42 . 2008-04-11 23:32 784,896 --a------ C:\Windows\System32\rpcrt4.dll
2008-07-09 10:42 . 2008-05-09 23:35 564,736 --a------ C:\Windows\System32\emdmgmt.dll
2008-07-09 10:42 . 2008-04-04 21:21 72,192 --a------ C:\Windows\System32\drivers\pacer.sys
2008-07-09 10:42 . 2008-04-04 23:34 15,360 --a------ C:\Windows\System32\pacerprf.dll
2008-07-09 10:41 . 2008-05-08 17:59 430,080 --a------ C:\Windows\System32\vbscript.dll
2008-07-09 10:41 . 2008-05-08 17:59 180,224 --a------ C:\Windows\System32\scrobj.dll
2008-07-09 10:41 . 2008-05-08 17:59 172,032 --a------ C:\Windows\System32\scrrun.dll
2008-07-09 10:41 . 2008-05-08 17:59 155,648 --a------ C:\Windows\System32\wscript.exe
2008-07-09 10:41 . 2008-05-08 17:58 135,168 --a------ C:\Windows\System32\wshom.ocx
2008-07-09 10:41 . 2008-05-08 17:58 135,168 --a------ C:\Windows\System32\cscript.exe
2008-07-09 10:41 . 2008-05-08 17:59 90,112 --a------ C:\Windows\System32\wshext.dll
2008-07-06 18:24 . 2008-07-06 18:24 <DIR> d-------- C:\Users\All Users\WindowsSearch
2008-07-06 18:24 . 2008-07-06 18:24 <DIR> d-------- C:\ProgramData\WindowsSearch
2008-07-06 06:40 . 2008-07-06 19:37 <DIR> d-------- C:\Program Files\MagicISO
2008-07-04 11:37 . 2008-07-04 11:49 94,208 --a------ C:\Windows\ScUnin.exe
2008-07-04 11:37 . 2008-07-04 11:49 34,693 --a------ C:\Windows\scunin.dat
2008-07-04 11:37 . 2008-07-04 11:49 967 --a------ C:\Windows\ScUnin.pif
2008-07-04 11:36 . 2008-07-07 06:19 <DIR> d-------- C:\Program Files\Starcraft
2008-07-03 17:13 . 2008-07-03 17:13 <DIR> d-------- C:\tmp
2008-07-02 17:29 . 2008-07-02 17:29 <DIR> d-------- C:\Program Files\Firaxis Games
2008-07-01 22:58 . 2008-07-01 22:58 <DIR> d-------- C:\Users\All Users\Innovative Solutions
2008-07-01 22:58 . 2008-07-01 22:58 <DIR> d-------- C:\ProgramData\Innovative Solutions
2008-07-01 22:57 . 2008-07-01 22:57 <DIR> d-------- C:\Program Files\Innovative Solutions
2008-07-01 22:57 . 2006-11-22 12:35 42,496 --a------ C:\Windows\System32\AdvUninstCPL.cpl
2008-07-01 13:53 . 2008-07-02 18:32 737,280 --a------ C:\Windows\iun6002.exe
2008-07-01 08:25 . 2004-08-18 04:34 442,368 -ra------ C:\Windows\System32\vp6vfw.dll
2008-06-27 15:25 . 2008-06-27 15:25 <DIR> d-------- C:\Users\Kyle\AppData\Roaming\NeroDigital™
2008-06-24 22:16 . 2008-07-11 06:09 <DIR> d-------- C:\Users\All Users\Google Updater
2008-06-24 22:16 . 2008-07-11 06:09 <DIR> d-------- C:\ProgramData\Google Updater
2008-06-23 10:55 . 2008-07-06 19:37 <DIR> d-------- C:\Program Files\bobyte
2008-06-23 10:39 . 2008-06-23 10:39 356,352 --a------ C:\Windows\eSellerateEngine.dll
2008-06-23 10:29 . 2008-07-06 19:37 <DIR> d-------- C:\Program Files\Deskshare
2008-06-23 10:29 . 2008-07-06 19:37 <DIR> d-------- C:\Program Files\Common Files\DeskShare Shared
2008-06-23 10:29 . 2004-12-07 10:11 258,352 --a------ C:\Windows\System32\Unicows.dll
2008-06-15 13:06 . 2008-04-23 00:42 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-06-15 13:06 . 2008-04-23 00:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-06-15 13:06 . 2008-04-23 00:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-15 13:06 . 2008-04-23 00:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-15 12:57 . 2008-05-09 21:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-06-15 12:56 . 2008-04-24 22:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-06-15 12:56 . 2008-05-09 23:35 885,248 --a------ C:\Windows\System32\RacEngn.dll
2008-06-15 12:56 . 2008-04-25 00:35 826,880 --a------ C:\Windows\System32\wininet.dll
2008-06-15 12:56 . 2008-05-09 18:22 9,127 --a------ C:\Windows\System32\RacUR.xml
2008-06-15 12:56 . 2008-05-09 18:22 153 --a------ C:\Windows\System32\RacUREx.xml
2008-06-15 12:53 . 2008-04-26 04:08 1,314,816 --a------ C:\Windows\System32\quartz.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-11 13:19 --------- d-----w C:\Users\Kyle\AppData\Roaming\uTorrent
2008-07-11 07:17 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-11 05:59 --------- d-----w C:\Users\Kyle\AppData\Roaming\.purple
2008-07-11 05:10 --------- d-----w C:\Users\Kyle\AppData\Roaming\gtk-2.0
2008-07-10 12:44 352,614 ---ha-w C:\Windows\system32\drivers\vsconfig.xml
2008-07-10 12:38 707,844 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k0
2008-07-10 12:38 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k7
2008-07-10 12:38 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k6
2008-07-10 12:38 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k5
2008-07-10 12:38 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k4
2008-07-10 12:38 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k3
2008-07-10 12:38 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k2
2008-07-10 12:38 64 ----a-w C:\Windows\system32\drivers\kmxcfg.u2k1
2008-07-10 12:13 --------- d-----w C:\Program Files\Windows Mail
2008-07-10 12:08 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-09 13:14 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-08 16:51 --------- d-----w C:\Users\Kyle\AppData\Roaming\dvdcss
2008-07-07 21:35 34,296 ----a-w C:\Windows\system32\drivers\mbamcatchme.sys
2008-07-07 21:35 17,144 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-07-07 10:19 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-07-06 23:37 --------- d-----w C:\Program Files\AviSynth 2.5
2008-07-05 22:13 352,614 ---ha-w C:\Windows\system32\drivers\vsconfig(206).xml
2008-07-04 11:40 --------- d-----w C:\Program Files\uTorrent
2008-07-02 22:27 --------- d-----w C:\Program Files\EA GAMES
2008-07-02 21:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-01 07:36 --------- d---a-w C:\ProgramData\TEMP
2008-06-29 21:53 23,850,324 ----a-w C:\Windows\Internet Logs\tvDebug.zip
2008-06-25 02:18 --------- d-----w C:\Program Files\Google
2008-06-23 14:54 --------- d-----w C:\Program Files\DivX
2008-06-23 04:48 --------- d-----w C:\Program Files\Common Files\Nero
2008-06-23 04:44 --------- d-----w C:\ProgramData\Nero
2008-06-07 09:32 --------- d-----w C:\Program Files\myFairTunes
2008-06-06 08:37 --------- d-----w C:\Program Files\RocketDock
2008-06-02 02:56 --------- d-----w C:\Program Files\dvdSanta
2008-06-01 06:45 --------- d-----w C:\Program Files\Image-Line
2008-06-01 06:37 --------- d-----w C:\Program Files\Steinberg
2008-06-01 01:19 --------- d-----w C:\Program Files\Activision
2008-05-31 23:03 --------- d-----w C:\Users\Kyle\AppData\Roaming\Astroburn
2008-05-31 22:41 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-05-31 22:41 --------- d-----w C:\Program Files\Astroburn
2008-05-31 17:10 29,543,188 ----a-w C:\Windows\Internet Logs\vsmon_on_demand_2008_05_30_20_20_18_full.dmp.zip
2008-05-30 23:22 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\Windows\System32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\Windows\System32\DivX.dll
2008-05-30 23:22 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-05-29 19:39 29,118,063 ----a-w C:\Windows\Internet Logs\vsmon_on_demand_2008_05_29_03_18_59_full.dmp.zip
2008-05-28 00:18 --------- d-----w C:\Users\Kyle\AppData\Roaming\LimeWire
2008-05-22 22:22 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-05-22 22:22 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-05-22 22:20 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-05-22 22:19 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-05-22 22:19 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-05-22 22:19 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2008-05-19 18:06 --------- d-----w C:\Users\Kyle\AppData\Roaming\Malwarebytes
2008-05-19 18:06 --------- d-----w C:\ProgramData\Malwarebytes
2008-05-17 09:30 --------- d-----w C:\ProgramData\Kaspersky Lab
2008-05-17 09:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-17 09:10 --------- d-----w C:\Program Files\Trend Micro
2008-05-15 22:14 --------- d-----w C:\Program Files\Common Files\xing shared
2008-05-15 22:14 --------- d-----w C:\Program Files\Common Files\Real
2008-05-15 22:13 --------- d-----w C:\Program Files\Real
2008-05-15 00:56 --------- d-----w C:\ProgramData\iolo
2008-05-15 00:56 --------- d-----w C:\Program Files\iolo
2008-05-14 18:40 --------- d-----w C:\Program Files\Avi2Dvd
2008-05-12 22:24 --------- d-----w C:\Users\Kyle\AppData\Roaming\Microsoft Games
2008-05-12 22:16 --------- d-----w C:\ProgramData\RapidSolution
2008-05-12 22:00 --------- d-----w C:\Program Files\Microsoft Games
2008-05-06 20:49 428,904 ----a-w C:\Windows\System32\Incinerator.dll
2008-04-19 12:49 174 --sha-w C:\Program Files\desktop.ini
2008-04-19 08:18 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-04-19 08:18 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-04-12 11:41 180,224 ----a-w C:\Windows\System32\xvidvfw.dll
2008-04-12 11:30 765,952 ----a-w C:\Windows\System32\xvidcore.dll
2008-03-16 08:37 0 ----a-w C:\Users\Kyle\AppData\Roaming\wklnhst.dat
2008-01-24 16:58 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-01-05 23:16 262,144 ----a-w C:\ProgramData\ntuser.dat
2008-01-08 01:08 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-01-08 01:08 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-01-08 01:08 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-11-28 20:20 23 --sha-w C:\Windows\System32\aefcae_r.dll
.

((((((((((((((((((((((((((((( snapshot_2008-07-10_ 8.53.56.19 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-10 12:44:50 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-07-11 09:28:14 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-07-10 12:44:11 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-07-10 12:49:26 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-07-10 12:44:11 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-10 12:49:26 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-10 12:44:11 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-07-10 12:49:26 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-09 14:03:41 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-07-11 13:28:05 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-07-09 00:32:07 119,836 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-07-11 07:37:30 119,836 ----a-w C:\Windows\System32\perfc009.dat
- 2008-07-09 00:32:07 645,296 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-07-11 07:37:30 645,296 ----a-w C:\Windows\System32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 03:33 125952]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 13:58 495616]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 03:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-03 10:51 1045800]
"HWSetup"="C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 12:06 413696]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-01-18 20:06 421888]
"KeyAccess"="C:\Windows\keyacc32.exe" [2007-06-08 14:00 749568]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-11-27 21:42 177416]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-05-22 02:50 173320]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 07:00 204800]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-11-28 08:17 14088]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 18:12 107112]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-11-28 07:34 134808]
"PINGER"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2006-07-20 16:45 151552]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-01-09 04:31 959976]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]
"iolo Startup"="C:\Program Files\iolo\Common\Lib\ioloLManager.exe" [2008-05-06 08:58 307568]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-15 18:13 185632]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 20:13 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 20:13 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 20:13 133656]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-11 17:53 5296128 C:\Windows\RtHDVCpl.exe]

C:\Users\Kyle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Belkin Network USB Hub Control Center.lnk - C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe [2008-03-21 21:02:01 790609]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 23:24:38 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-01-31 15:00 79368 C:\Windows\System32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=KATRACK.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
--a------ 2006-12-15 19:59 530552 C:\Program Files\Toshiba\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cafwc]
--a------ 2008-05-22 02:50 1193224 C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2007-12-29 08:05 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a------ 2005-12-16 06:41 188416 C:\Program Files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2006-12-11 21:45 448632 C:\Program Files\Toshiba\SmoothView\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3828028985-627414594-974731854-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{DBAF5C7D-25E8-479E-83A9-AF8215ABEBF6}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{5F820C8A-A04E-4661-98AE-7844B4B690F2}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"TCP Query User{25D0FE1A-06C5-45C7-A28F-DA2AAFCB0446}C:\\program files\\miranda im\\miranda32.exe"= UDP:C:\program files\miranda im\miranda32.exe:Miranda IM
"UDP Query User{F9AAB84B-2E7F-47F4-B48F-1ACDF11B9C63}C:\\program files\\miranda im\\miranda32.exe"= TCP:C:\program files\miranda im\miranda32.exe:Miranda IM
"TCP Query User{7744309A-A088-49A8-AC66-93F637B6AC67}C:\\program files\\miranda im\\miranda32.exe"= UDP:C:\program files\miranda im\miranda32.exe:Miranda IM
"UDP Query User{5A46F49D-7729-4EF1-9E4E-3C16632988BA}C:\\program files\\miranda im\\miranda32.exe"= TCP:C:\program files\miranda im\miranda32.exe:Miranda IM
"{1FD76A42-5FC2-4BE1-B5E6-3D550D86E2E0}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{5406EC23-072A-4578-A364-C6682884E7D5}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{A03FEA9F-3A02-4379-8B80-6A8CF67A1D0D}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{D320FD00-46E1-47BF-BDE4-8BCE5294E83C}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{8436861D-17F4-4116-B895-C78A2C4CCAC1}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{25F3F80C-E52E-4F55-AEB5-59CA30BC672B}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{25A64441-802D-4D5E-9D46-A5707026A8FB}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{0E650028-0E85-4AF8-827D-4099A747AD1A}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{4817F3C8-E0FC-4E8E-81B7-BE32C14BE1E5}"= UDP:C:\Program Files\Microsoft Games\Age of Empires III\age3x.exe:Age of Empires III - The WarChiefs
"{4724694F-6DB9-4F39-883E-0D7CF4EAAA46}"= TCP:C:\Program Files\Microsoft Games\Age of Empires III\age3x.exe:Age of Empires III - The WarChiefs
"{A97E2FEF-EB71-4E65-92F5-067F56114D84}"= UDP:C:\Program Files\Microsoft Games\Age of Empires III\age3y.exe:Age of Empires III - The Asian Dynasties
"{4F3ED503-588B-422C-ACED-2CD774957EC5}"= TCP:C:\Program Files\Microsoft Games\Age of Empires III\age3y.exe:Age of Empires III - The Asian Dynasties

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R0 KmxFw;KmxFw;C:\Windows\system32\DRIVERS\kmxfw.sys [2007-10-18 14:28]
R1 KmxAgent;KmxAgent;C:\Windows\system32\DRIVERS\kmxagent.sys [2007-03-21 19:49]
R1 KmxFile;KmxFile;C:\Windows\system32\DRIVERS\KmxFile.sys [2007-03-16 04:39]
R1 KmxFilter;HIPS Core Filter Driver;C:\Windows\system32\DRIVERS\KmxFilter.sys [2007-10-18 10:46]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 12:31]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 12:31]
R2 KmxCF;KmxCF;C:\Windows\system32\DRIVERS\KmxCF.sys [2007-10-18 10:46]
R2 KmxSbx;KmxSbx;C:\Windows\system32\DRIVERS\KmxSbx.sys [2007-11-02 04:54]
R2 NTIOWP;NTIOWP;C:\Windows\system32\drivers\NTIOWP.sys [2001-04-29 20:39]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 sxuptp;SXUPTP Driver;C:\Windows\system32\DRIVERS\sxuptp.sys [2007-07-26 23:03]
R2 UmxAgent;HIPS Event Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-04 09:23]
R2 UmxCfg;HIPS Configuration Interpreter;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 09:39]
R2 UmxPol;HIPS Policy Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2007-03-05 19:36]
R3 KmxCfg;KmxCfg;C:\Windows\system32\DRIVERS\kmxcfg.sys [2007-09-12 12:02]
R3 PPCtlPriv;PPCtlPriv;C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-11-27 21:42]
S3 LTXMD_VAC;Litex Media Virtual Audio Cabel (WDM);C:\Windows\system32\drivers\lmvac.sys [2008-04-28 21:27]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2008-01-19 01:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1eab8f52-c138-11dc-bdc0-0016d4fc3df5}]
\shell\AutoRun\command - F:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d008b31-a32e-11dc-b5af-0016d4fc3df5}]
\shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af8d580e-a8f1-11dc-a0c7-0016d4fc3df5}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c22cf7b3-9d4f-11dc-97dc-0016d4fc3df5}]
\shell\AutoRun\command - I:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c22cf7b6-9d4f-11dc-97dc-0016d4fc3df5}]
\shell\AutoRun\command - H:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-25 01:16:18 C:\Windows\Tasks\CAAntiSpywareScan_Daily as Kyle at 8 15 PM.job"
??
? ??\- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 09:36:34
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

[0] 0x3BDC458B

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.
Completion time: 2008-07-11 9:40:51
ComboFix-quarantined-files.txt 2008-07-11 13:40:40
ComboFix2.txt 2008-07-10 12:58:10
ComboFix3.txt 2008-07-09 14:33:54

Pre-Run: 8,127,705,088 bytes free
Post-Run: 7,989,043,200 bytes free

335 --- E O F --- 2008-07-11 07:42:14

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:24 PM

Posted 11 July 2008 - 04:46 PM

Hello Commie,

if your CA Firewall is disabled, then no need to uninstall.

I guess the easiest way to get your ZoneAlarm firewall back on track would be to completely uninstall it, reboot and reinstall.

No other problems anymore ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 Commie

Commie
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 12 July 2008 - 10:07 PM

I was evidently able to get home sooner than I had expected so I can respond sooner. Everything is in working order as far as I can tell other than ZA Firewall still. I uninstalled it, rebooted, when to install it and got an error message reading, "The path 'C:\Users\Kyle\AppData\Local\Microsoft\Windows\Temporary Internet Files/Content.IE5\AFFNM2Z\zlsSetup_71_254_000_en[1].exe' is invalid." I then proceeded to look for that directory in Windows Explorer and I could only get as far as the "Windows" folder. Any idea on what is causing this? I've tried to install more than once as well.

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:24 PM

Posted 14 July 2008 - 04:21 PM

Hello Commie,

The Temporary Internet Files folder and it's subfolders are hidden folders,
so you either have to unhide them or just copy the full path C:\Users\Kyle\AppData\Local\Microsoft\Windows\Temporary Internet Files/Content.IE5\AFFNM2Z
and paste it in the Windows Explorer path window, and click Enter to show it's contents.

I'm guessing however some ZoneAlarm entries are left behind,
preventing Windows to install zlsSetup_71_254_000_en[1].exe properly.
This is the correct way to manually uninstall all ZoneAlarm components :
http://forums.zonealarm.org/zonelabs/board...essage.id=79298
Also, make sure you download the ZoneAlarm installer to your Desktop first, and then double click to install !!
Do not attempt an installation without saving first.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users