Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumundo Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 bexgq

bexgq

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 17 July 2008 - 06:21 AM

Hi

I've been infected with the virtumundo trojan and i've tried to remove it using vundofix, virtumondobegone and spybot but it keeps reappearing. Can someone please help me before i lose my mind.

Thank you

Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-17 12:02:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-07-17 11:03:00 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 83% (more than 75%).
Total Physical Memory: 248 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-17 12:08:12
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {57A52E74-004C-464B-96CC-4DFE5366EA02} - C:\WINDOWS\system32\awtqnkhe.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {4c027fa6-137f-692b-8524-05b3a41c7c0a} - {a0c7c14a-3b50-4258-b296-f7316af720c4} - C:\WINDOWS\system32\amsfiy.dll
O2 - BHO: (no name) - {A9A93732-615B-4498-A4B9-741C64C994E8} - C:\WINDOWS\system32\mlJDuuVl.dll
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [eceaa311] rundll32.exe "C:\WINDOWS\system32\wqikxrts.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [A00FD8FDC.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00FD8FDC.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {0000000A-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/8/B...42/wmsp9dmo.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/D/0...D0C/wmv9dmo.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_05) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u...ows-i586-jc.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVC Download Control) - http://www.shockwave.com/content/davincico...d%20Control.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - Winlogon Notify: awtqnkhe - C:\WINDOWS\system32\awtqnkhe.dll
O20 - Winlogon Notify: __c00F1690 - C:\WINDOWS\system32\__c00F1690.dat
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Freeloader Monthly Subscription Service - Unknown owner - C:\Program Files\Common Files\Freeloader Shared\Service\Freeloader Monthly Subscription Service File.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPcservice.exe


--
End of file - 9990 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20080717-114245-614 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
backup-20080717-114246-664 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
backup-20080717-114247-334 O16 - DPF: {C0C0CB9B-BFEB-47C2-90FA-BE9692875ADB} (CPlayFirstPetShopHopControl Object) - http://download.playfirst.com/play/game/pe...eb.1.0.0.15.cab
backup-20080717-114247-347 O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.pjio.com/download/pjio_gamelauncher.CAB
backup-20080717-114249-878 O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfr...outLauncher.cab
backup-20080717-114250-964 O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
backup-20080717-114251-492 O16 - DPF: {E41BA393-9078-424E-9554-9DB5126F5F4C} (CPlayFirstDreamChronControl Object) - http://download.playfirst.com/play/game/dr...eb.1.0.0.13.cab
backup-20080717-114251-932 O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
backup-20080717-114330-115 O2 - BHO: (no name) - {67B0D1DA-4255-4063-80FB-68B04A92D718} - C:\WINDOWS\system32\urqPiGYp.dll (file missing)
backup-20080717-114330-309 O2 - BHO: (no name) - {57A52E74-004C-464B-96CC-4DFE5366EA02} - C:\WINDOWS\system32\awtqnkhe.dll
backup-20080717-114802-256 O2 - BHO: (no name) - {E4A7A1D5-842E-4A6A-B2CF-746314A4C2D7} - C:\WINDOWS\system32\awtsPJYR.dll (file missing)
backup-20080717-114802-330 O2 - BHO: (no name) - {57A52E74-004C-464B-96CC-4DFE5366EA02} - C:\WINDOWS\system32\awtqnkhe.dll
backup-20080717-114802-469 O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
backup-20080717-114802-525 O2 - BHO: (no name) - {A9A93732-615B-4498-A4B9-741C64C994E8} - C:\WINDOWS\system32\mlJDuuVl.dll
backup-20080717-114802-877 O2 - BHO: (no name) - {8694209A-27BA-47BE-87D3-43EC6831D568} - (no file)
backup-20080717-114803-207 O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
backup-20080717-114803-566 O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
backup-20080717-114804-951 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
backup-20080717-114805-480 O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
backup-20080717-114806-681 O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
backup-20080717-114806-906 O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://www.playfirst.com/play/game/dreamch...web.1.0.0.9.cab
backup-20080717-114807-964 O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://games.bigfishgames.com/en_mahjonges...mesLauncher.cab
backup-20080717-114808-977 O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
backup-20080717-114809-664 O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
backup-20080717-114810-956 O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.bootsdigitalphotocentre.com/wpp...opcuploader.cab
backup-20080717-114811-648 O23 - Service: Be10860m - PC Tools Research Pty Ltd - (no file)
backup-20080717-114858-444 O2 - BHO: (no name) - {57A52E74-004C-464B-96CC-4DFE5366EA02} - C:\WINDOWS\system32\awtqnkhe.dll
backup-20080717-115017-256 O20 - Winlogon Notify: awtqnkhe - C:\WINDOWS\SYSTEM32\awtqnkhe.dll
backup-20080717-115017-539 O2 - BHO: (no name) - {A9A93732-615B-4498-A4B9-741C64C994E8} - C:\WINDOWS\system32\mlJDuuVl.dll
backup-20080717-115017-918 O23 - Service: Be10860m - PC Tools Research Pty Ltd - (no file)
backup-20080717-115017-976 O2 - BHO: (no name) - {57A52E74-004C-464B-96CC-4DFE5366EA02} - C:\WINDOWS\system32\awtqnkhe.dll
backup-20080717-115028-883 O2 - BHO: (no name) - {57A52E74-004C-464B-96CC-4DFE5366EA02} - C:\WINDOWS\system32\awtqnkhe.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD>
R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S0 PxHelp20 - c:\windows\system32\drivers\pxhelp20.sys (file missing)
S2 gafwload (BT Voyager ADSL Modem Loader) - c:\windows\system32\drivers\gafwload.sys <Not Verified; GlobespanVirata Inc.; GlobespanVirata USB ADSL Firmware Loader>
S3 BTCOMM - c:\windows\system32\drivers\btcomm.sys (file missing)
S3 BTKRNBDG (Bluetooth COM Bridge) - c:\windows\system32\drivers\btkrnbdg.sys (file missing)
S3 CSRBC01 (%CSRBC01.SvcDesc%) - c:\windows\system32\drivers\csrbc01.sys (file missing)
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 RT73 (Belkin USB Network Adapter) - c:\windows\system32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>
S3 vad_multi (Windigo Virtual Audio Device (WDM)) - c:\windows\system32\drivers\vadmulti.sys (file missing)
S3 wanusb (BT Voyager ADSL Modem) - c:\windows\system32\drivers\gwausb.sys <Not Verified; GlobespanVirata Inc.; GlobespanVirata WAN ADSL USB Modem>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 YPCService - c:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module>
S4 Boonty Games - "c:\program files\common files\boonty shared\service\boonty.exe" <Not Verified; BOONTY; Boonty Games>
S4 Freeloader Monthly Subscription Service - "c:\program files\common files\freeloader shared\service\freeloader monthly subscription service file.exe"


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-17 12:00:00 350 --a------ C:\WINDOWS\Tasks\At37.job
2008-07-17 12:00:00 350 --a------ C:\WINDOWS\Tasks\At13.job
2008-07-17 11:22:35 312 --a------ C:\WINDOWS\Tasks\GlaryInitialize.job
2008-07-17 11:00:00 350 --a------ C:\WINDOWS\Tasks\At36.job
2008-07-17 11:00:00 350 --a------ C:\WINDOWS\Tasks\At12.job
2008-07-17 10:00:00 350 --a------ C:\WINDOWS\Tasks\At35.job
2008-07-17 10:00:00 350 --a------ C:\WINDOWS\Tasks\At11.job
2008-07-17 09:00:00 350 --a------ C:\WINDOWS\Tasks\At34.job
2008-07-17 09:00:00 350 --a------ C:\WINDOWS\Tasks\At10.job
2008-07-17 08:00:00 350 --a------ C:\WINDOWS\Tasks\At9.job
2008-07-17 08:00:00 350 --a------ C:\WINDOWS\Tasks\At33.job
2008-07-17 07:00:00 350 --a------ C:\WINDOWS\Tasks\At8.job
2008-07-17 07:00:00 350 --a------ C:\WINDOWS\Tasks\At32.job
2008-07-17 06:00:00 350 --a------ C:\WINDOWS\Tasks\At7.job
2008-07-17 06:00:00 350 --a------ C:\WINDOWS\Tasks\At31.job
2008-07-17 05:00:00 350 --a------ C:\WINDOWS\Tasks\At6.job
2008-07-17 05:00:00 350 --a------ C:\WINDOWS\Tasks\At30.job
2008-07-17 04:00:00 350 --a------ C:\WINDOWS\Tasks\At5.job
2008-07-17 04:00:00 350 --a------ C:\WINDOWS\Tasks\At29.job
2008-07-17 03:00:00 350 --a------ C:\WINDOWS\Tasks\At4.job
2008-07-17 03:00:00 350 --a------ C:\WINDOWS\Tasks\At28.job
2008-07-17 02:00:00 350 --a------ C:\WINDOWS\Tasks\At3.job
2008-07-17 02:00:00 350 --a------ C:\WINDOWS\Tasks\At27.job
2008-07-17 01:00:00 350 --a------ C:\WINDOWS\Tasks\At26.job
2008-07-17 01:00:00 350 --a------ C:\WINDOWS\Tasks\At2.job
2008-07-17 00:43:00 350 --a------ C:\WINDOWS\Tasks\At25.job
2008-07-17 00:42:00 350 --a------ C:\WINDOWS\Tasks\At1.job
2008-07-16 23:00:01 350 --a------ C:\WINDOWS\Tasks\At48.job
2008-07-16 23:00:00 350 --a------ C:\WINDOWS\Tasks\At24.job
2008-07-16 22:00:01 350 --a------ C:\WINDOWS\Tasks\At47.job
2008-07-16 22:00:01 350 --a------ C:\WINDOWS\Tasks\At23.job
2008-07-16 21:00:00 350 --a------ C:\WINDOWS\Tasks\At46.job
2008-07-16 21:00:00 350 --a------ C:\WINDOWS\Tasks\At22.job
2008-07-16 20:00:00 350 --a------ C:\WINDOWS\Tasks\At45.job
2008-07-16 20:00:00 350 --a------ C:\WINDOWS\Tasks\At21.job
2008-07-16 19:00:01 350 --a------ C:\WINDOWS\Tasks\At44.job
2008-07-16 19:00:00 350 --a------ C:\WINDOWS\Tasks\At20.job
2008-07-16 18:00:00 350 --a------ C:\WINDOWS\Tasks\At43.job
2008-07-16 18:00:00 350 --a------ C:\WINDOWS\Tasks\At19.job
2008-07-16 17:00:00 350 --a------ C:\WINDOWS\Tasks\At42.job
2008-07-16 17:00:00 350 --a------ C:\WINDOWS\Tasks\At18.job
2008-07-16 16:00:00 350 --a------ C:\WINDOWS\Tasks\At41.job
2008-07-16 16:00:00 350 --a------ C:\WINDOWS\Tasks\At17.job
2008-07-16 15:00:00 350 --a------ C:\WINDOWS\Tasks\At40.job
2008-07-16 15:00:00 350 --a------ C:\WINDOWS\Tasks\At16.job
2008-07-16 14:00:00 350 --a------ C:\WINDOWS\Tasks\At39.job
2008-07-16 14:00:00 350 --a------ C:\WINDOWS\Tasks\At15.job
2008-07-16 13:00:00 350 --a------ C:\WINDOWS\Tasks\At38.job
2008-07-16 13:00:00 350 --a------ C:\WINDOWS\Tasks\At14.job
2008-07-10 22:57:30 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-17 and 2008-07-17 -----------------------------

2008-07-16 12:30:38 102400 --a------ C:\WINDOWS\system32\amsfiy.dll
2008-07-16 12:30:37 102400 --a------ C:\WINDOWS\system32\jffjpbvo.dll
2008-07-16 12:28:16 77824 --a------ C:\WINDOWS\system32\wqikxrts.dll
2008-07-16 12:27:37 6197 --ahs---- C:\WINDOWS\system32\lVuuDJlm.ini2
2008-07-16 12:27:34 318976 --a------ C:\WINDOWS\system32\mlJDuuVl.dll
2008-07-16 10:11:08 25088 --a------ C:\WINDOWS\system32\awtqnkhe.dll
2008-07-15 16:43:17 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-15 16:42:49 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-15 16:42:49 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-15 16:42:49 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-15 16:42:49 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-15 16:42:49 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-15 16:42:49 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-15 16:42:49 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-15 16:42:49 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-15 16:42:49 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-15 16:42:49 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-15 16:42:49 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-15 16:42:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-15 16:42:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-07-15 16:42:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-07-15 16:42:49 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-15 16:42:48 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-15 11:10:22 0 d-------- C:\Program Files\Lavasoft
2008-07-15 11:10:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-15 11:06:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-14 16:04:26 0 d-------- C:\VundoFix Backups
2008-07-14 16:00:49 102400 --a------ C:\WINDOWS\system32\vbdueopf.dll
2008-07-14 16:00:49 102400 --a------ C:\WINDOWS\system32\fslrju.dll
2008-07-13 14:50:02 103424 --a------ C:\WINDOWS\system32\hnuavz.dll
2008-07-13 14:50:00 103424 --a------ C:\WINDOWS\system32\qexshmsq.dll
2008-07-13 12:11:57 0 d-------- C:\Documents and Settings\Owner\Application Data\INAC
2008-07-13 12:11:57 0 d-------- C:\Documents and Settings\All Users\Application Data\INAC
2008-07-11 22:36:15 103424 --a------ C:\WINDOWS\system32\mltssp.dll
2008-07-11 22:36:14 103424 --a------ C:\WINDOWS\system32\ckhbvudg.dll
2008-07-11 22:36:10 78336 --a------ C:\WINDOWS\system32\gmhetvxw.dll
2008-07-11 17:46:55 2180 --ahs---- C:\WINDOWS\system32\pYGiPqru.ini2
2008-07-11 14:29:08 0 d-------- C:\Program Files\The Cleaner
2008-07-11 14:07:00 103424 --a------ C:\WINDOWS\system32\svowzb.dll
2008-07-11 14:07:00 103424 --a------ C:\WINDOWS\system32\jrkiljdn.dll
2008-07-11 14:05:28 1901 --ahs---- C:\WINDOWS\system32\RYJPstwa.ini2
2008-07-11 13:37:18 21504 --a------ C:\WINDOWS\system32\__c00F1690.dat
2008-07-11 11:15:43 20480 --a------ C:\WINDOWS\system32\u1mU3Ykf.dll
2008-07-11 11:15:41 35842 --a------ C:\WINDOWS\system32\y1qY3Doj.exe
2008-07-10 23:15:37 0 d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2008-07-10 23:13:26 0 d-------- C:\Program Files\Common Files\Ahead
2008-07-10 23:13:25 0 d-------- C:\Program Files\Nero2
2008-07-10 10:32:30 29760 --a------ C:\WINDOWS\system32\r72OD87U.exe
2008-06-18 10:51:31 57436 --a------ C:\WINDOWS\DASShp.dll <Not Verified; Microsoft Corporation; Microsoft® DAS Client Components>
2008-06-18 10:51:30 0 d-------- C:\Program Files\Microsoft Reader


-- Find3M Report ---------------------------------------------------------------

2008-07-17 11:22:53 0 d-------- C:\Program Files\PC Tools AntiVirus
2008-07-17 10:04:53 12 --a------ C:\WINDOWS\bthservsdp.dat
2008-07-17 09:31:57 0 d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-07-15 11:06:48 0 d-------- C:\Program Files\Common Files
2008-07-13 15:03:48 0 d-------- C:\Program Files\Microsoft Picture It! 9
2008-07-11 13:09:04 39980 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-07-09 08:15:53 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-07-02 20:26:14 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-06-18 10:51:30 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-09 21:05:38 0 d-------- C:\Program Files\Apple Software Update
2008-06-05 10:24:20 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-06-05 10:23:22 0 d-------- C:\Program Files\iTunes
2008-06-05 10:22:16 0 d-------- C:\Program Files\iPod
2008-06-05 10:18:49 0 d-------- C:\Program Files\QuickTime
2008-06-05 10:08:08 0 d-------- C:\Program Files\Common Files\Apple
2008-05-27 21:11:32 0 d-------- C:\Program Files\uTorrent
2008-05-21 14:05:06 0 d-------- C:\Documents and Settings\Owner\Application Data\PlayFirst
2008-05-20 20:21:51 0 d-------- C:\Documents and Settings\Owner\Application Data\Youdagames
2008-05-01 14:57:00 0 --a------ C:\Documents and Settings\Owner\Application Data\sversion.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57A52E74-004C-464B-96CC-4DFE5366EA02}]
16/07/2008 10:11 25088 --a------ C:\WINDOWS\system32\awtqnkhe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a0c7c14a-3b50-4258-b296-f7316af720c4}]
16/07/2008 12:30 102400 --a------ C:\WINDOWS\system32\amsfiy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9A93732-615B-4498-A4B9-741C64C994E8}]
16/07/2008 12:27 318976 --a------ C:\WINDOWS\system32\mlJDuuVl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [21/08/2003 04:15]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [19/08/2003 09:01]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [03/11/2003 17:50]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [05/03/2008 09:37]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [01/03/2007 14:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []
"GSICONEXE"="GSICON.EXE" [24/04/2002 20:04 C:\WINDOWS\system32\gsicon.exe]
"DSLAGENTEXE"="dslagent.exe" [02/05/2002 14:45 C:\WINDOWS\system32\dslagent.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [07/09/2004 14:47 C:\WINDOWS\ALCXMNTR.EXE]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"eceaa311"="C:\WINDOWS\system32\wqikxrts.dll" [16/07/2008 12:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [13/12/2007 19:10]
"A00FD8FDC.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00FD8FDC.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 08:56]
"RecordNow!"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [17/04/2003 00:14:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [14/08/2007 14:40:29]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{650CA63D-4A01-4BF8-A608-9B1EBB36292E}"= C:\WINDOWS\system32\u1mU3Ykf.dll [17/07/2008 10:30 20480]
"{57A52E74-004C-464B-96CC-4DFE5366EA02}"= C:\WINDOWS\system32\awtqnkhe.dll [16/07/2008 10:11 25088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnkhe]
awtqnkhe.dll 16/07/2008 10:11 25088 C:\WINDOWS\system32\awtqnkhe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F1690]
C:\WINDOWS\system32\__c00F1690.dat 17/07/2008 11:27 21504 C:\WINDOWS\system32\__c00F1690.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mlJDuuVl

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^ubisoft register.lnk]
backup=C:\WINDOWS\pss\Ubisoft register.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\farmmext]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\supernews12]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uninstall_TBPS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zdoxnnqf]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SWN2"=C:\Program Files\Spyware Nuker\swnxt.exe /h
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480




-- Hosts -----------------------------------------------------------------------

127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD

60 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-17 12:10:48 ------------




Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.70GHz
Percentage of Memory in Use: 62%
Physical Memory (total/avail): 247.48 MiB / 93.85 MiB
Pagefile Memory (total/avail): 605.8 MiB / 269.28 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1893.39 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 70.48 GiB total, 47.84 GiB free.
D: is Fixed (FAT32) - 4.03 GiB total, 0.35 GiB free.
E: is CDROM (No Media)
G: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST380011A - 74.53 GiB - 2 partitions
\PARTITION0 - Unknown - 4.04 GiB - D:
\PARTITION1 (bootable) - Installable File System - 70.48 GiB - C:

\\.\PHYSICALDRIVE1 - HP USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: PC Tools AntiVirus 4.0.0.26 v4.0.0.26 (PC Tools Research Pty Ltd)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Yahoo! Games\\Blackhawk Striker 2\\Blackhawk2.exe"="C:\\Program Files\\Yahoo! Games\\Blackhawk Striker 2\\Blackhawk2.exe:*:Enabled:Black Hawk Striker 2"
"C:\\My Games\\Pearl Harbor - Zero Hour\\phz.exe"="C:\\My Games\\Pearl Harbor - Zero Hour\\phz.exe:*:Enabled:phz"
"C:\\Program Files\\America's Army\\System\\ArmyOps.exe"="C:\\Program Files\\America's Army\\System\\ArmyOps.exe:*:Enabled:ArmyOps"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe:*:Enabled:Nero ControlCenter"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-EVF1TFJ8B7
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\YOUR-EVF1TFJ8B7
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\services;C:\Program Files\Samsung\Samsung PC Studio 3\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=YOUR-EVF1TFJ8B7
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Program Files\PC Tools AntiVirus\unins000.exe /LOG
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\Motive\btbb\UninstallHelper.exe
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
5.0M MPEG4 DV --> C:\Program Files\5.0M MPEG4 DV\uninst.exe
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe AIR --> C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR --> MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
BT BB Diagnostic --> C:\PROGRA~1\BTBBDI~1\UNWISE.EXE /U /Z C:\PROGRA~1\BTBBDI~1\INSTALL.LOG
BT Broadband Desktop Help --> C:\WINDOWS\Motive\btbb\MCCUninst.exe
BT Broadband Talk Softphone 2.0 --> "C:\Program Files\BT Broadband Talk Softphone\unins000.exe"
BT Home Hub --> C:\Program Files\BT Home Hub\Uninstall.exe
BT Voyager ADSL Modem --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C7B39B40-52C3-11D4-AFCE-00E0B8138A4A}\Setup.exe" -l0x9 REMOVE
Family Tree Maker 2005 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B136E4A4-7660-4F15-9752-EF8E6BA7866D}\setup.exe" -l0x9
Glary Utilities 2.5.1 --> "C:\Program Files\Glary Utilities\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\hijackthis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Deskjet Preloaded Printer Drivers --> MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}
HP Image Zone 3.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Image Zone Plus 3.5 --> C:\Program Files\HP\Digital Imaging\{C6C44651-7C66-4b11-92E8-17565D3D22DD}\setup\hpzscr01.exe -datfile hpdscr01.dat
HP Photo & Imaging 3.5 - HP Devices --> C:\Program Files\HP\Digital Imaging\{15B9DC72-73F9-4d99-9E28-848D66DA8D99}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP PSC & OfficeJet 3.0 --> "C:\Program Files\HP\Digital Imaging\{F38FA38A-7E5A-4209-88ED-4DE21CD20EEF}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update --> MsiExec.exe /X{34957B51-9676-41CE-9E52-44AE91B73F1C}
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java 2 Runtime Environment, SE v1.4.2_05 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142050}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Reader --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B6F7DBE7-2FE2-458F-A738-B10832746036}\Setup.exe" -L0x9
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works --> MsiExec.exe /I{B9966F27-9678-4620-9579-925E3084647E}
Microsoft Works 2004 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2004\Setup\Launcher.exe /ARP E:\
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{33BEE6F3-9987-4F98-A069-97A64EC8321A}
Nero 7 Lite v7.7.5.1 --> "C:\Program Files\Nero2\unins000.exe"
Nero 8 --> MsiExec.exe /X{5FCCD531-1B38-4A94-924C-127F722F1033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA GART Driver --> C:\WINDOWS\System32\nvugart.exe Uninstall C:\WINDOWS\System32\Nvgart.nvu,NVIDIA GART Driver
OLYMPUS Master --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{BA820A24-704B-428D-9904-71A10DAC1372} /l1033 /zUNINSTALL
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"
PC Tools AntiVirus4.0 --> "C:\Program Files\PC Tools AntiVirus\unins000.exe"
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealArcade --> C:\Program Files\Real\RealArcade\Update\rnuninst.exe RealNetworks|RealArcade|1.2
SAMSUNG Mobile USB Modem 1.0 Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Skype™ 3.5 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
StartUp Manager --> C:\Program Files\INAC\StartUp Manager\uninstall.exe
The BankRobber --> MsiExec.exe /I{96F0A92D-7029-4452-A100-C78322F943B7}
The Cleaner --> "C:\Program Files\The Cleaner\unins000.exe"
Ulead Photo Express 4.0 My Custom Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{21BCE515-D5A3-11D4-8E33-0010B53EC668}\setup.exe"
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Wedding Dash 2 - Rings Around the World --> MsiExec.exe /I{53D79E66-1B07-45E0-9ADE-0700D504417B}
Westward II Heroes Of The Frontier --> MsiExec.exe /I{3B762744-3C41-4871-826F-D55DA1D7BFB5}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Xvid 1.1.2 final uninstall --> "C:\Program Files\XviD\unins001.exe"
XviD MPEG4 Video Codec (remove only) --> "C:\WINDOWS\system32\xvid-uninstall.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type34592 / Success
Event Submitted/Written: 07/17/2008 11:25:55 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type34572 / Success
Event Submitted/Written: 07/17/2008 09:57:02 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type34546 / Error
Event Submitted/Written: 07/16/2008 11:40:02 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type34539 / Success
Event Submitted/Written: 07/16/2008 01:00:46 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type34505 / Success
Event Submitted/Written: 07/15/2008 06:56:20 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type39781 / Error
Event Submitted/Written: 07/17/2008 00:00:00 PM
Event ID/Source: 7901 / Schedule
Event Description:
The At37.job command failed to start due to the following error:
%%2147942405

Event Record #/Type39780 / Error
Event Submitted/Written: 07/17/2008 00:00:00 PM
Event ID/Source: 7901 / Schedule
Event Description:
The At13.job command failed to start due to the following error:
%%2147942405

Event Record #/Type39773 / Error
Event Submitted/Written: 07/17/2008 11:24:14 AM
Event ID/Source: 30013 / ipnathlp
Event Description:
The DHCP allocator has disabled itself on IP address 192.168.1.64,
since the IP address is outside the 192.168.0.0/255.255.255.0 scope
from which addresses are being allocated to DHCP clients.
To enable the DHCP allocator on this IP address,
please change the scope to include the IP address,
or change the IP address to fall within the scope.

Event Record #/Type39753 / Error
Event Submitted/Written: 07/17/2008 11:23:41 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The 5.0M MPEG4 DV Video Capture service failed to start due to the following error:
%%1058

Event Record #/Type39752 / Error
Event Submitted/Written: 07/17/2008 11:23:41 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The BT Voyager ADSL Modem Loader service failed to start due to the following error:
%%1058



-- End of Deckard's System Scanner: finished at 2008-07-17 12:10:48 ------------

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 18 July 2008 - 11:30 PM

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following...


Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 06 August 2008 - 08:27 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users