Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde/vundo/conhook Infection


  • This topic is locked This topic is locked
9 replies to this topic

#1 Hamroc

Hamroc

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 21 July 2008 - 10:49 AM

Windows live OneCare keeps telling me that my computer is infected by either Virtumonde, Vundo, or Conhook but will never say that that it is infected by more than one of them at a time. I take the appropriate actions to remove them through OneCare and they never get fully removed. After some research I found that all three are pretty much the same infection. I tried using VundoFix and it recognized three files as Vundo but when I go to remove them the program just freezes up and the only action I can take is to close the program. I ran HijackThis and saw one of the files VundoFix recognized(C:\Windows\system32\rqRKDvvS.dll) and tried to get rid of it with HijackThis and the file will still not go away. I also used Virtumondebegone and that failed to resolve anything as well. I ran a DSS scan and got the main.txt but never got the extra.txt. Thanks in advance and please let me know what I can do to help find a resolution.

Deckard's System Scanner v20071014.68
Run by Administrator on 2003-07-21 11:33:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 26.81 GiB (less than 15%) free.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:46 AM, on 7/21/2003
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\notepad.exe
C:\Users\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02715E47-5A8E-495B-8F63-0D30470B8E72} - C:\Windows\system32\efcBqrqR.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A212340-8D62-4E31-BAE7-216D44BC6766} - (no file)
O2 - BHO: (no name) - {0B400147-00CF-43EA-B15E-F5567198D161} - (no file)
O2 - BHO: (no name) - {2308585E-0F3F-4005-A453-D7399B3DD2DC} - (no file)
O2 - BHO: (no name) - {29de8833-947d-4585-8221-137606057192} - (no file)
O2 - BHO: (no name) - {2DEABF04-F5A5-41D8-AE2A-3FC47E4FF1CF} - (no file)
O2 - BHO: (no name) - {311A3D77-D429-4B4E-84D0-5F8C897C7C1B} - (no file)
O2 - BHO: (no name) - {445D04AD-B503-4CE7-B9D3-70D4B5F33030} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56EDF53B-3AD7-4ED7-8E97-78221033FDDD} - (no file)
O2 - BHO: (no name) - {58CF81D3-0C76-441B-B7E8-B24E25C86EF8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7A02D614-1FF6-4287-8061-77D2E4DF0C28} - (no file)
O2 - BHO: (no name) - {7FD86F6E-7C5B-415F-8981-5781F1804706} - C:\Windows\system32\rqRKDvvS.dll
O2 - BHO: (no name) - {8355808D-8E34-49FA-8E06-27118A973642} - (no file)
O2 - BHO: (no name) - {87ff9e07-2385-4151-91be-407270e56002} - (no file)
O2 - BHO: (no name) - {8ad1af37-76fd-400c-bbd9-c86c735a9814} - (no file)
O2 - BHO: (no name) - {8ED20FA3-D9CA-492A-AECA-FDD36E30A4C1} - (no file)
O2 - BHO: (no name) - {97a78735-438e-44b7-b6a7-8fd7200c8ab0} - (no file)
O2 - BHO: (no name) - {A480EEEF-43DE-4423-B5FC-47C5E1B47D71} - (no file)
O2 - BHO: (no name) - {A6518E39-2714-423D-BF22-6F2A80263104} - (no file)
O2 - BHO: (no name) - {AD2556CC-6A7A-4029-A4C5-90F98CA12997} - (no file)
O2 - BHO: (no name) - {B71779B1-11C0-4239-8281-A8D0E8CBDD7F} - (no file)
O2 - BHO: (no name) - {BF9A4A37-23C6-4DB6-9392-4A308974C57C} - (no file)
O2 - BHO: (no name) - {C0F3BED0-AC90-4F6D-987C-3FEB1AD25100} - (no file)
O2 - BHO: (no name) - {ED6D3C1E-4BB4-47AC-A23E-06C2E7C26A68} - (no file)
O2 - BHO: (no name) - {f1721e55-428a-4028-97bb-eba4fe1e7249} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/33.05/uploader2.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 7111 bytes

-- Files created between 2003-06-21 and 2003-07-21 -----------------------------

2008-07-13 14:57:21 0 d-------- C:\Program Files\Google
2008-07-13 14:57:18 0 d-------- C:\Program Files\Picasa2
2008-06-30 10:10:48 0 d-------- C:\Program Files\Firaxis Games
2008-06-19 12:44:35 0 d-------- C:\Users\All Users\Ludia
2008-06-14 01:22:56 32829 --a------ C:\Windows\scunin.dat
2008-06-14 01:22:54 967 --a------ C:\Windows\ScUnin.pif
2008-06-14 01:22:54 94208 --a------ C:\Windows\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2008-06-14 01:22:43 0 d-------- C:\Program Files\Starcraft
2008-06-12 11:59:29 315904 --a------ C:\Windows\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-06-12 11:59:22 47104 --a------ C:\Windows\system32\KMVIDC32.DLL
2008-06-12 11:33:58 0 d-------- C:\Program Files\Team17 Software Ltd
2008-06-10 17:29:25 4096 --a------ C:\Windows\d3dx.dat
2008-06-10 17:29:25 0 d-------- C:\Users\All Users\AirportMania
2008-06-10 17:28:59 0 d-------- C:\Program Files\ReflexiveArcade
2008-06-10 17:23:58 0 d-------- C:\Program Files\QuickTime
2008-06-10 11:11:58 0 d-------- C:\Users\All Users\PlayFirst
2008-05-30 19:22:48 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 19:22:48 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 19:22:48 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 19:22:46 815104 --a------ C:\Windows\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 19:22:46 683520 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-26 03:15:12 0 d-------- C:\PerfLogs
2008-05-22 18:22:18 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-05-22 18:19:46 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-22 18:19:46 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-22 18:18:54 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll
2008-05-22 11:08:51 0 d-------- C:\Users\Administrator\Hot teen amateurs
2008-05-19 01:45:47 0 d-------- C:\Program Files\CDisplay
2008-05-18 21:19:30 0 d-------- C:\Users\All Users\FLEXnet
2008-05-18 10:20:16 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-18 10:18:41 0 d-------- C:\Users\All Users\Rosetta Stone
2008-05-18 10:18:41 0 d-------- C:\Program Files\Rosetta Stone
2008-05-04 13:44:44 0 d-------- C:\Program Files\Zune
2008-05-04 13:37:58 0 d-------- C:\Program Files\BitLord
2008-05-04 12:17:00 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-05-04 02:30:48 0 d-------- C:\VundoFix Backups
2008-05-04 02:06:19 0 d-------- C:\Users\All Users\Avira
2008-05-04 01:23:26 0 d-------- C:\$UPGRADE.~OS
2008-05-01 14:27:43 52864 -ra------ C:\Windows\system32\SetupWizard.exe
2008-04-30 10:14:28 0 d------c- C:\Windows\system32\DRVSTORE
2008-04-30 10:12:41 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-04-30 02:52:10 514583 --ahs---- C:\Windows\system32\QpYyIRqr.ini2
2008-04-30 01:32:47 0 d-------- C:\Program Files\Windows Live Safety Center
2008-04-28 02:24:10 0 d-------- C:\Users\All Users\Ubisoft
2008-04-24 16:29:36 416221 --ahs---- C:\Windows\system32\RAyaacfe.ini2
2008-04-22 08:48:06 0 d-------- C:\Warhammer
2008-04-22 08:43:31 0 d-------- C:\Program Files\MagicISO
2008-04-17 16:30:05 535552 --a------ C:\ISSetup.dll <Not Verified; Macrovision Corporation; InstallShield>
2008-04-17 14:30:22 267180 --ahs---- C:\Windows\system32\vGOrBJjl.ini2
2008-04-15 10:48:45 0 d-------- C:\Program Files\XP Codec Pack
2008-04-15 03:00:59 0 d-------- C:\Program Files\MSXML 4.0
2008-04-15 02:16:28 855557 --ahs---- C:\Windows\system32\SvvDKRqr.ini2
2008-04-15 02:16:24 273408 -----n--- C:\Windows\system32\rqRKDvvS.dll
2008-04-15 00:32:44 0 d-------- C:\Users\All Users\Nero
2008-04-15 00:32:44 0 d-------- C:\Program Files\Common Files\Nero
2008-04-14 23:46:44 0 d-------- C:\ConverterOutput
2008-04-14 23:46:34 262144 --a------ C:\Windows\system32\TomsMoComp_ff.dll
2008-04-14 23:46:34 112640 --a------ C:\Windows\system32\libmpeg2_ff.dll
2008-04-14 23:46:34 34820 --a------ C:\Windows\system32\ffdshow.reg
2008-04-14 23:41:47 180224 --a------ C:\Windows\system32\xvidvfw.dll
2008-04-14 23:41:47 765952 --a------ C:\Windows\system32\xvidcore.dll
2008-04-14 23:41:47 0 d-------- C:\Program Files\Xvid
2008-04-11 12:17:57 0 d-------- C:\Program Files\SEGA
2008-04-11 11:59:06 0 d-------- C:\ Medivial 2 disc 2
2008-04-11 11:46:47 0 d-------- C:\ Medivial 2
2008-04-09 15:49:27 0 d-------- C:\Users\All Users\Steam
2008-04-09 15:49:22 0 d-------- C:\Users\All Users\PopCap Games
2008-04-09 15:28:39 30 --a------ C:\Windows\popcinfo.dat
2008-04-08 12:07:02 0 d-------- C:\UCL
2008-04-08 11:36:15 0 d-------- C:\Program Files\Common Files\Steam
2008-04-07 14:09:50 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-04-07 14:07:13 717296 --a------ C:\Windows\system32\drivers\sptd.sys
2008-03-06 11:29:44 962560 --a------ C:\Windows\system32\VSFilter.dll <Not Verified; Gabest; VSFilter>
2008-02-12 13:57:41 0 d-a------ C:\Users\All Users\TEMP
2008-01-29 17:18:48 0 -rahs---- C:\MSDOS.SYS
2008-01-29 17:18:48 0 -rahs---- C:\IO.SYS
2008-01-29 17:02:41 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-01-29 16:45:34 0 d-------- C:\Program Files\Trend Micro
2008-01-29 14:10:31 0 d-------- C:\Users\All Users\Lavasoft
2008-01-16 12:40:53 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-01-14 08:52:00 81920 --a------ C:\Windows\system32\frapsvid.dll <Not Verified; Beepa P/L; FRAPS>
2007-12-24 07:47:52 7680 --a------ C:\Windows\system32\ff_vfw.dll
2007-12-24 07:40:26 395776 --a------ C:\Windows\system32\libmplayer.dll
2007-12-22 16:02:50 188416 --a------ C:\Windows\system32\ff_theora.dll
2007-12-22 15:27:22 2255360 --a------ C:\Windows\system32\libavcodec.dll
2007-12-11 12:12:52 0 d-------- C:\Program Files\DivX
2007-12-03 10:34:32 26624 --a------ C:\Windows\system32\ff_wmv9.dll
2007-12-01 07:43:30 520192 --a------ C:\Windows\system32\ff_x264.dll
2007-11-29 02:01:32 0 dr------- C:\Users\SCHULTZ\Searches
2007-11-29 02:01:24 0 dr------- C:\Users\SCHULTZ\Contacts
2007-11-29 02:01:20 0 dr------- C:\Users\SCHULTZ\Videos
2007-11-29 02:01:20 0 d--hs---- C:\Users\SCHULTZ\Templates
2007-11-29 02:01:20 0 d--hs---- C:\Users\SCHULTZ\Start Menu
2007-11-29 02:01:20 0 d--hs---- C:\Users\SCHULTZ\SendTo
2007-11-29 02:01:20 0 dr------- C:\Users\SCHULTZ\Saved Games
2007-11-29 02:01:20 0 d--hs---- C:\Users\SCHULTZ\Recent
2007-11-29 02:01:20 0 d--hs---- C:\Users\SCHULTZ\PrintHood
2007-11-29 02:01:20 0 dr------- C:\Users\SCHULTZ\Pictures
2007-11-29 02:01:20 1835008 --ahs---- C:\Users\SCHULTZ\NTUSER.DAT
2007-11-29 02:01:20 0 d--hs---- C:\Users\SCHULTZ\NetHood
2007-11-29 02:01:20 0 d--hs---- C:\Users\SCHULTZ\My Documents
2007-11-29 02:01:20 0 dr------- C:\Users\SCHULTZ\Music
2007-11-29 02:01:20 0 d--hs---- C:\Users\SCHULTZ\Local Settings
2007-11-29 02:01:20 0 dr------- C:\Users\SCHULTZ\Links
2007-11-29 02:01:20 0 dr------- C:\Users\SCHULTZ\Favorites
2007-11-29 02:01:20 0 dr------- C:\Users\SCHULTZ\Downloads
2007-11-29 02:01:20 0 dr------- C:\Users\SCHULTZ\Documents
2007-11-29 02:01:20 0 dr------- C:\Users\SCHULTZ\Desktop
2007-11-29 02:01:20 0 d--hs---- C:\Users\SCHULTZ\Cookies
2007-11-29 02:01:20 0 d--hs---- C:\Users\SCHULTZ\Application Data
2007-11-29 02:01:20 0 d--h----- C:\Users\SCHULTZ\AppData
2007-11-22 13:55:59 0 d-------- C:\Users\All Users\Windows Genuine Advantage
2007-11-19 19:44:15 0 d-------- C:\Users\All Users\Adobe
2007-11-19 19:44:03 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-14 20:39:58 0 d-------- C:\Program Files\Ventrilo
2007-11-14 20:39:28 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-11 17:21:32 0 d-------- C:\Program Files\Winamp
2007-11-11 17:13:59 0 d-------- C:\DECCHECK
2007-10-29 03:00:51 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-10-27 18:26:17 0 d-------- C:\BonusScanner
2007-10-27 15:07:59 0 d-------- C:\Windows\system32\Macromed
2007-10-27 15:05:18 0 d-------- C:\Program Files\World of Warcraft
2007-10-27 15:05:18 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-10-23 11:31:32 0 d-------- C:\Users\All Users\NVIDIA
2007-10-23 11:27:02 3636 --a------ C:\Windows\system32\drivers\nvphy.bin
2007-10-23 11:26:42 0 d-------- C:\Users\All Users\{623D32E9-0C62-4453-AD44-98B31F52A5E1}
2007-10-23 11:26:27 0 d-------- C:\Program Files\Activation Assistant for the 2007 Microsoft Office suites
2007-10-23 11:22:18 0 d-------- C:\NVIDIA
2007-10-23 11:22:02 262144 --a------ C:\Windows\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2007-10-23 11:22:02 86016 --a------ C:\Windows\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>
2007-10-23 11:20:17 0 d-------- C:\Windows\system32\Futuremark
2007-10-23 11:20:17 3972 --a------ C:\Windows\system32\drivers\PciBus.sys
2007-10-23 11:20:17 5632 --a------ C:\Windows\system32\drivers\Entech64.sys <Not Verified; EnTech Taiwan; EnTech.sys>
2007-10-23 11:20:17 21664 --a------ C:\Windows\system32\drivers\Entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
2007-10-23 11:17:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-23 11:17:06 0 d-------- C:\Program Files\Microsoft Works
2007-10-23 11:17:04 0 d-------- C:\Program Files\Common Files\InstallShield
2007-10-23 11:16:34 0 d-------- C:\Windows\PCHEALTH
2007-10-23 11:16:34 0 d-------- C:\Program Files\Microsoft.NET
2007-10-23 11:15:34 0 d-------- C:\Windows\SHELLNEW
2007-10-23 11:15:10 0 d-------- C:\Users\All Users\Microsoft Help
2007-10-23 11:15:08 0 d--hs---- C:\Windows\Installer
2007-10-23 11:14:53 0 dr-h----- C:\MSOCache
2007-10-23 11:12:03 0 dr------- C:\Users\Administrator\Searches
2007-10-23 11:11:55 0 dr------- C:\Users\Administrator\Contacts
2007-10-23 11:11:52 0 d--hs---- C:\Users\Administrator\Templates
2007-10-23 11:11:52 0 d--hs---- C:\Users\Administrator\Start Menu
2007-10-23 11:11:52 0 d--hs---- C:\Users\Administrator\SendTo
2007-10-23 11:11:52 0 d--hs---- C:\Users\Administrator\Recent
2007-10-23 11:11:52 0 d--hs---- C:\Users\Administrator\PrintHood
2007-10-23 11:11:52 0 d--hs---- C:\Users\Administrator\NetHood
2007-10-23 11:11:52 0 d--hs---- C:\Users\Administrator\My Documents
2007-10-23 11:11:52 0 d--hs---- C:\Users\Administrator\Local Settings
2007-10-23 11:11:52 0 d--hs---- C:\Users\Administrator\Cookies
2007-10-23 11:11:52 0 d--hs---- C:\Users\Administrator\Application Data
2007-10-23 11:11:51 0 dr------- C:\Users\Administrator\Videos
2007-10-23 11:11:51 0 dr------- C:\Users\Administrator\Saved Games
2007-10-23 11:11:51 0 dr------- C:\Users\Administrator\Pictures
2007-10-23 11:11:51 3407872 --ahs---- C:\Users\Administrator\NTUSER.DAT
2007-10-23 11:11:51 0 dr------- C:\Users\Administrator\Music
2007-10-23 11:11:51 0 dr------- C:\Users\Administrator\Links
2007-10-23 11:11:51 0 dr------- C:\Users\Administrator\Favorites
2007-10-23 11:11:51 0 dr------- C:\Users\Administrator\Downloads
2007-10-23 11:11:51 0 dr------- C:\Users\Administrator\Documents
2007-10-23 11:11:51 0 dr------- C:\Users\Administrator\Desktop
2007-10-23 11:11:49 0 d--h----- C:\Users\Administrator\AppData
2007-10-22 21:01:11 0 d-------- C:\Windows\Panther
2007-10-22 21:00:57 0 d--hs---- C:\Boot
2007-10-22 21:00:45 0 d-------- C:\OEMLOGO
2007-10-22 20:03:54 0 d-------- C:\Windows\SoftwareDistribution
2007-10-22 20:03:08 0 d-------- C:\Windows\Debug
2007-10-22 20:02:12 0 d-------- C:\Windows\Prefetch
2007-10-22 20:02:04 0 d--hs---- C:\System Volume Information
2007-08-24 18:08:24 1275392 --a------ C:\Windows\system32\msxml4.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP 2>
2006-11-02 12:10:16 80912 --a------ C:\Windows\system32\sherlock2.exe
2006-11-02 08:59:44 0 d--hs---- C:\Users\Default\Templates
2006-11-02 08:59:44 0 d--hs---- C:\Users\Default\Start Menu
2006-11-02 08:59:44 0 d--hs---- C:\Users\Default\SendTo
2006-11-02 08:59:44 0 d--hs---- C:\Users\Default\Recent
2006-11-02 08:59:44 0 d--hs---- C:\Users\Default\PrintHood
2006-11-02 08:59:44 0 d--hs---- C:\Users\Default\NetHood
2006-11-02 08:59:44 0 d--hs---- C:\Users\Default\My Documents
2006-11-02 08:59:44 0 d--hs---- C:\Users\Default\Local Settings
2006-11-02 08:59:44 0 d--hs---- C:\Users\Default\Cookies
2006-11-02 08:59:44 0 d--hs---- C:\Users\Default\Application Data
2006-11-02 08:59:44 0 d--hs---- C:\Users\All Users\Templates
2006-11-02 08:59:44 0 d--hs---- C:\Users\All Users\Start Menu
2006-11-02 08:59:44 0 d--hs---- C:\Users\All Users\Favorites
2006-11-02 08:59:44 0 d--hs---- C:\Users\All Users\Documents
2006-11-02 08:59:44 0 d--hs---- C:\Users\All Users\Desktop
2006-11-02 08:59:44 0 d--hs---- C:\Users\All Users\Application Data
2006-11-02 08:59:44 0 d--hs---- C:\Documents and Settings
2006-11-02 08:45:10 0 d-------- C:\Windows\Setup
2006-11-02 08:45:07 0 d-------- C:\Windows\ServiceProfiles
2006-11-02 08:45:01 0 d---s---- C:\Windows\system32\Microsoft
2006-11-02 08:40:00 0 d-------- C:\Windows\WindowsMobile
2006-11-02 08:40:00 0 d-------- C:\Windows\system32\winrm
2006-11-02 08:40:00 0 d-------- C:\Windows\system32\slmgr
2006-11-02 08:40:00 0 d-------- C:\Windows\system32\en
2006-11-02 08:40:00 0 d-------- C:\Windows\system32\drivers\en-US
2006-11-02 08:40:00 0 d-------- C:\Windows\system32\Branding
2006-11-02 08:40:00 0 d-------- C:\Windows\system32\0409
2006-11-02 08:40:00 0 d-------- C:\Windows\en-US
2006-11-02 08:39:59 0 d-------- C:\Windows\system32\WCN
2006-11-02 08:39:59 0 d-------- C:\Windows\system32\Printing_Admin_Scripts
2006-11-02 08:35:51 0 d-------- C:\Windows\twain_32
2006-11-02 08:35:51 0 d-------- C:\Windows\system32\XPSViewer
2006-11-02 08:35:51 0 d-------- C:\Windows\system32\restore
2006-11-02 08:35:51 0 d-------- C:\Windows\Performance
2006-11-02 08:35:51 0 d-------- C:\Windows\DigitalLocker
2006-11-02 08:35:51 0 d-------- C:\Program Files\Windows Sidebar
2006-11-02 08:35:51 0 d-------- C:\Program Files\Windows Photo Gallery
2006-11-02 08:35:51 0 d-------- C:\Program Files\Windows Defender
2006-11-02 08:35:51 0 d-------- C:\Program Files\Windows Collaboration
2006-11-02 08:35:51 0 d-------- C:\Program Files\Windows Calendar
2006-11-02 08:35:51 0 d-------- C:\Program Files\Reference Assemblies
2006-11-02 08:35:51 0 d-------- C:\Program Files\MSBuild
2006-11-02 08:35:51 0 d-------- C:\Program Files\Movie Maker
2006-11-02 08:35:51 0 d-------- C:\Program Files\Microsoft Games
2006-11-02 07:18:44 0 d-------- C:\Windows\winsxs
2006-11-02 07:18:44 0 d-------- C:\Windows\Web
2006-11-02 07:18:44 0 d-------- C:\Windows\tracing
2006-11-02 07:18:44 0 d-------- C:\Windows\Tasks
2006-11-02 07:18:44 0 d-------- C:\Windows\tapi
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\zh-TW
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\zh-HK
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\zh-CN
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\winevt
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\wfp
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\WDI
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\wbem
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\uk-UA
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\tr-TR
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\th-TH
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\Tasks
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\sysprep
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\sv-SE
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\sr-Latn-CS
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\spool
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\Speech
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\SMI
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\SLUI
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\sl-SI
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\sk-SK
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\setup
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\ru-RU
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\ro-RO
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\RemInst
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\ras
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\pt-PT
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\pt-BR
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\pl-PL
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\oobe
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\nl-NL
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\networklist
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\NDF
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\nb-NO
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\MUI
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\Msdtc
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\migwiz
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\migration
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\manifeststore
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\lv-LV
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\lt-LT
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\LogFiles
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\licensing
2006-11-02 07:18:43 0 d-------- C:\Windows\system32\ko-KR
2006-11-02 07:18:42 0 d-------- C:\Windows\system32\ja-JP
2006-11-02 07:18:42 0 d-------- C:\Windows\system32\it-IT
2006-11-02 07:18:42 0 d-------- C:\Windows\system32\inetsrv
2006-11-02 07:18:42 0 d-------- C:\Windows\system32\IME
2006-11-02 07:18:42 0 d-------- C:\Windows\system32\icsxml
2006-11-02 07:18:42 0 d-------- C:\Windows\system32\ias
2006-11-02 07:18:42 0 d-------- C:\Windows\system32\hu-HU
2006-11-02 07:18:42 0 d-------- C:\Windows\system32\hr-HR
2006-11-02 07:18:42 0 d-------- C:\Windows\system32\he-IL
2006-11-02 07:18:42 0 d-------- C:\Windows\system32\GroupPolicyUsers
2006-11-02 07:18:42 0 d-------- C:\Windows\system32\GroupPolicy
2006-11-02 07:18:42 0 d-------- C:\Windows\system32\fr-FR
2006-11-02 07:18:42 0 d-------- C:\Windows\system32\fi-FI
2006-11-02 07:18:42 0 d-------- C:\Windows\system32\et-EE
2006-11-02 07:18:42 0 d-------- C:\Windows\system32\es-ES
2006-11-02 07:18:42 0 d-------- C:\Windows\system32\el-GR
2006-11-02 07:18:36 0 d-------- C:\Windows\System32
2006-11-02 07:18:36 0 d-------- C:\Windows\system32\DriverStore
2006-11-02 07:18:36 0 d-------- C:\Windows\system32\drivers
2006-11-02 07:18:36 0 d-------- C:\Windows\system32\drivers\UMDF
2006-11-02 07:18:36 0 d-------- C:\Windows\system32\drivers\etc
2006-11-02 07:18:36 0 d-------- C:\Windows\system32\de-DE
2006-11-02 07:18:36 0 d-------- C:\Windows\system32\da-DK
2006-11-02 07:18:36 0 d-------- C:\Windows\system32\cs-CZ
2006-11-02 07:18:36 0 d-------- C:\Windows\system32\config
2006-11-02 07:18:36 0 d-------- C:\Windows\system32\com
2006-11-02 07:18:36 0 d-------- C:\Windows\system32\CodeIntegrity
2006-11-02 07:18:36 0 d-------- C:\Windows\system32\catroot2
2006-11-02 07:18:36 0 d-------- C:\Windows\system32\catroot
2006-11-02 07:18:36 0 d-------- C:\Windows\system32\Boot
2006-11-02 07:18:36 0 d-------- C:\Windows\system32\bg-BG
2006-11-02 07:18:36 0 d-------- C:\Windows\system32\ar-SA
2006-11-02 07:18:36 0 d-------- C:\Windows\system32\AdvancedInstallers
2006-11-02 07:18:36 0 d-------- C:\Windows\system
2006-11-02 07:18:36 0 d-------- C:\Windows\Speech
2006-11-02 07:18:36 0 d-------- C:\Windows\servicing
2006-11-02 07:18:36 0 d-------- C:\Windows\security
2006-11-02 07:18:36 0 d-------- C:\Windows\schemas
2006-11-02 07:18:36 0 d-------- C:\Windows\SchCache
2006-11-02 07:18:36 0 d-------- C:\Windows\Resources
2006-11-02 07:18:36 0 d-------- C:\Windows\rescache
2006-11-02 07:18:36 0 d-------- C:\Windows\Registration
2006-11-02 07:18:36 0 d-------- C:\Windows\Provisioning
2006-11-02 07:18:36 0 d-------- C:\Windows\PolicyDefinitions
2006-11-02 07:18:35 0 d-------- C:\Windows\PLA
2006-11-02 07:18:35 0 dr------- C:\Windows\Offline Web Pages
2006-11-02 07:18:35 0 d-------- C:\Windows\nap
2006-11-02 07:18:35 0 d-------- C:\Windows\MSAgent
2006-11-02 07:18:35 0 d-------- C:\Windows\ModemLogs
2006-11-02 07:18:35 0 dr--s---- C:\Windows\Media
2006-11-02 07:18:35 0 d-------- C:\Windows\Logs
2006-11-02 07:18:35 0 d-------- C:\Windows\LiveKernelReports
2006-11-02 07:18:35 0 d-------- C:\Windows\L2Schemas
2006-11-02 07:18:34 0 d-------- C:\Windows
2006-11-02 07:18:34 0 d-------- C:\Windows\inf
2006-11-02 07:18:34 0 d-------- C:\Windows\IME
2006-11-02 07:18:34 0 d-------- C:\Windows\Help
2006-11-02 07:18:34 0 d-------- C:\Windows\Globalization
2006-11-02 07:18:34 0 dr--s---- C:\Windows\Fonts
2006-11-02 07:18:34 0 d---s---- C:\Windows\Downloaded Program Files
2006-11-02 07:18:34 0 d-------- C:\Windows\Cursors
2006-11-02 07:18:34 0 d-------- C:\Windows\Branding
2006-11-02 07:18:34 0 d-------- C:\Windows\Boot
2006-11-02 07:18:34 0 d-------- C:\Windows\AppPatch
2006-11-02 07:18:34 0 dr------- C:\Users\Default\Videos
2006-11-02 07:18:34 0 d-------- C:\Users\Default\Saved Games
2006-11-02 07:18:34 0 dr------- C:\Users\Default\Pictures
2006-11-02 07:18:34 0 dr------- C:\Users\Default\Music
2006-11-02 07:18:34 0 dr------- C:\Users\Default\Links
2006-11-02 07:18:34 0 dr------- C:\Users\Default\Favorites
2006-11-02 07:18:34 0 dr------- C:\Users\Default\Downloads
2006-11-02 07:18:34 0 dr------- C:\Users\Default\Documents
2006-11-02 07:18:34 0 dr------- C:\Users\Default\Desktop
2006-11-02 07:18:33 0 dr------- C:\Users
2006-11-02 07:18:33 0 d--h----- C:\Users\Default\AppData
2006-11-02 07:18:33 0 d---s---- C:\Users\All Users\Microsoft
2006-11-02 07:18:33 0 d-------- C:\ProgramData
2006-11-02 07:18:33 0 dr------- C:\Program Files
2006-11-02 07:18:33 0 d-------- C:\Program Files\Windows NT
2006-11-02 07:18:33 0 d-------- C:\Program Files\Windows Mail
2006-11-02 07:18:33 0 d-------- C:\Program Files\Common Files
2006-11-02 07:18:33 0 d-------- C:\Program Files\Common Files\SpeechEngines
2006-11-02 07:17:19 0 d--hs---- C:\$Recycle.Bin
2006-11-02 06:22:30 262144 --ahs---- C:\Users\Default\NTUSER.DAT
2004-11-24 15:25:52 335872 --a------ C:\Windows\system32\drvc.dll <Not Verified; ; RealVideo 8+9+10+HFE2.1 (32-bit)>
2004-11-12 04:07:02 1207 --a------ C:\Windows\system32\gplmpg.reg
2004-10-03 13:50:54 129024 --a------ C:\Windows\system32\ff_mpeg2enc.dll
2004-08-10 02:52:54 241723 --a------ C:\Windows\system32\hxltcolor.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2004-08-10 02:52:16 49221 --a------ C:\Windows\system32\rv40.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2004-08-10 02:52:14 49221 --a------ C:\Windows\system32\rv30.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2004-08-10 02:51:08 176195 --a------ C:\Windows\system32\drv2.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2004-08-10 02:51:00 57411 --a------ C:\Windows\system32\rv20.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2004-08-10 02:50:48 102464 --a------ C:\Windows\system32\drv1.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2004-08-10 02:50:40 49216 --a------ C:\Windows\system32\rv10.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2004-08-10 02:50:22 77889 --a------ C:\Windows\system32\atrc.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2004-08-10 02:50:12 106561 --a------ C:\Windows\system32\sipr.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2004-08-10 02:50:00 65602 --a------ C:\Windows\system32\cook.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2004-04-20 18:00:00 172032 --a------ C:\Windows\system32\OptimFROG.dll <Not Verified; Florin Ghido, FlorinGhido@yahoo.com; OptimFROG Lossless/DualStream Audio Compression, http://LosslessAudioCompression.com>
2004-01-29 10:08:23 32768 --a------ C:\Windows\system32\ATHPRXY.DLL <Not Verified; Microsoft Corporation; MSSearch>
2003-07-21 11:13:20 0 d-------- C:\Program Files\Java
2003-07-21 11:13:19 0 d-------- C:\Program Files\Common Files\Java
2003-07-21 11:10:27 0 d-------- C:\Program Files\SDM20
2003-07-21 02:35:29 0 d-------- C:\Windows\Sun


-- Find3M Report ---------------------------------------------------------------

2008-06-19 12:44:35 0 d-------- C:\Users\Administrator\AppData\Roaming\Ludia
2008-06-10 11:11:58 0 d-------- C:\Users\Administrator\AppData\Roaming\PlayFirst
2008-05-26 03:23:22 174 --ahs---- C:\Program Files\desktop.ini
2008-04-15 10:50:06 0 d-------- C:\Users\Administrator\AppData\Roaming\Media Player Classic
2008-04-15 00:37:42 0 d-------- C:\Users\Administrator\AppData\Roaming\Nero
2008-04-07 14:06:57 0 d-------- C:\Users\Administrator\AppData\Roaming\DAEMON Tools
2008-04-01 16:14:49 99864 --a------ C:\Users\Administrator\AppData\Roaming\GDIPFONTCACHEV1.DAT
2008-01-16 12:45:58 0 d-------- C:\Users\Administrator\AppData\Roaming\DivX
2008-01-15 13:36:47 0 d-------- C:\Users\Administrator\AppData\Roaming\WinRAR
2007-12-11 11:34:09 0 d-------- C:\Users\Administrator\AppData\Roaming\Adobe
2007-11-11 17:25:22 0 d-------- C:\Users\Administrator\AppData\Roaming\Winamp
2007-10-27 17:34:42 0 d-------- C:\Users\Administrator\AppData\Roaming\Ventrilo
2007-10-27 15:08:02 0 d-------- C:\Users\Administrator\AppData\Roaming\Macromedia
2007-10-23 11:26:19 0 d-------- C:\Users\Administrator\AppData\Roaming\InstallShield
2007-10-23 11:11:56 0 d-------- C:\Users\Administrator\AppData\Roaming\Identities
2003-07-18 11:33:51 0 d-------- C:\Users\Administrator\AppData\Roaming\My Games


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02715E47-5A8E-495B-8F63-0D30470B8E72}]
C:\Windows\system32\efcBqrqR.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A212340-8D62-4E31-BAE7-216D44BC6766}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B400147-00CF-43EA-B15E-F5567198D161}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2308585E-0F3F-4005-A453-D7399B3DD2DC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29de8833-947d-4585-8221-137606057192}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DEABF04-F5A5-41D8-AE2A-3FC47E4FF1CF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{311A3D77-D429-4B4E-84D0-5F8C897C7C1B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{445D04AD-B503-4CE7-B9D3-70D4B5F33030}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56EDF53B-3AD7-4ED7-8E97-78221033FDDD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58CF81D3-0C76-441B-B7E8-B24E25C86EF8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A02D614-1FF6-4287-8061-77D2E4DF0C28}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FD86F6E-7C5B-415F-8981-5781F1804706}]
04/15/2008 02:16 AM 273408 --------- C:\Windows\system32\rqRKDvvS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8355808D-8E34-49FA-8E06-27118A973642}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87ff9e07-2385-4151-91be-407270e56002}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ad1af37-76fd-400c-bbd9-c86c735a9814}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ED20FA3-D9CA-492A-AECA-FDD36E30A4C1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97a78735-438e-44b7-b6a7-8fd7200c8ab0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A480EEEF-43DE-4423-B5FC-47C5E1B47D71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6518E39-2714-423D-BF22-6F2A80263104}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AD2556CC-6A7A-4029-A4C5-90F98CA12997}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B71779B1-11C0-4239-8281-A8D0E8CBDD7F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF9A4A37-23C6-4DB6-9392-4A308974C57C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C0F3BED0-AC90-4F6D-987C-3FEB1AD25100}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED6D3C1E-4BB4-47AC-A23E-06C2E7C26A68}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f1721e55-428a-4028-97bb-eba4fe1e7249}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 03:38 AM]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [06/25/2008 06:48 AM]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [04/29/2008 07:56 PM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [09/12/2007 01:28 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [09/12/2007 01:28 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [09/12/2007 01:28 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 03:33 AM]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [04/01/2008 05:39 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/19/2008 03:33 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{02715E47-5A8E-495B-8F63-0D30470B8E72}"= C:\Windows\system32\efcBqrqR.dll [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\rqRKDvvS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2689696-04cd-11dd-b45b-001d604a9df3}]
AutoRun\command- I:\autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2003-07-21 11:35:05 ------------

BC AdBot (Login to Remove)

 


m

#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 21 July 2008 - 12:28 PM

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following...


Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall



Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Hamroc

Hamroc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 22 July 2008 - 03:15 AM

Thanks again for your time.


ComboFix 08-07-21.1 - Administrator 2008-07-22 3:43:36.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1027 [GMT -4:00]
Running from: C:\Users\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Windows\System32\apptnqus.ini
C:\Windows\system32\avkxfcsw.ini
C:\Windows\System32\bajdnkfu.ini
C:\Windows\system32\chpgvjts.ini
C:\Windows\system32\dbcmhasr.ini
C:\Windows\system32\dkrdeajp.ini
C:\Windows\system32\dyakdogx.ini
C:\Windows\System32\hefxkbra.ini
C:\Windows\system32\kcpvmvci.ini
C:\Windows\system32\kkwjvegd.ini
C:\Windows\system32\lhvrixot.ini
C:\Windows\system32\lttrcojx.ini
C:\Windows\system32\mcrh.tmp
C:\Windows\System32\mktkcplt.ini
C:\Windows\System32\nfvhcvuy.ini
C:\Windows\system32\oihncdbt.ini
C:\Windows\system32\pfmqsvhq.ini
C:\Windows\system32\pyjqkoho.ini
C:\Windows\System32\QpYyIRqr.ini
C:\Windows\System32\QpYyIRqr.ini2
C:\Windows\System32\RAyaacfe.ini
C:\Windows\System32\RAyaacfe.ini2
C:\Windows\system32\rqRKDvvS.dll
C:\Windows\System32\SvvDKRqr.ini
C:\Windows\System32\SvvDKRqr.ini2
C:\Windows\System32\vGOrBJjl.ini
C:\Windows\System32\vGOrBJjl.ini2
C:\Windows\system32\vjqfprup.ini
C:\Windows\system32\xbvkeasr.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 )))))))))))))))))))))))))))))))
.

2008-07-13 14:57 . 2008-07-13 16:09 <DIR> d-------- C:\Program Files\Picasa2
2008-07-13 14:57 . 2008-07-13 14:57 <DIR> d-------- C:\Program Files\Google
2008-07-12 12:10 . 2008-06-25 21:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-12 12:10 . 2008-06-25 21:45 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll
2008-07-12 12:10 . 2008-06-25 23:29 801,280 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-06-30 10:10 . 2003-07-17 11:51 <DIR> d-------- C:\Program Files\Firaxis Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 16:12 --------- d-----w C:\PROGRA~2\Microsoft Help
2008-07-10 08:22 --------- d-----w C:\Program Files\Windows Mail
2008-07-05 17:53 --------- d-----w C:\Program Files\Starcraft
2008-07-03 16:14 94,208 ----a-w C:\Windows\ScUnin.exe
2008-06-19 16:44 --------- d-----w C:\Users\Administrator\AppData\Roaming\Ludia
2008-06-19 16:44 --------- d-----w C:\Users\ADMINI~1\AppData\Roaming\Ludia
2008-06-19 16:44 --------- d-----w C:\PROGRA~2\Ludia
2008-06-17 15:47 --------- d-----w C:\PROGRA~2\Rosetta Stone
2008-06-16 17:05 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-06-12 15:33 --------- d-----w C:\Program Files\Team17 Software Ltd
2008-06-10 21:30 --------- d-----w C:\PROGRA~2\AirportMania
2008-06-10 21:28 --------- d-----w C:\Program Files\ReflexiveArcade
2008-06-10 21:23 --------- d-----w C:\Program Files\QuickTime
2008-06-10 15:11 --------- d-----w C:\Users\Administrator\AppData\Roaming\PlayFirst
2008-06-10 15:11 --------- d-----w C:\Users\ADMINI~1\AppData\Roaming\PlayFirst
2008-06-10 15:11 --------- d-----w C:\PROGRA~2\PlayFirst
2008-06-09 17:14 --------- d-----w C:\PROGRA~2\Spybot - Search & Destroy
2008-06-09 16:44 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-09 16:04 --------- d-----w C:\Program Files\DivX
2008-06-09 16:03 --------- d-----w C:\Program Files\Common Files\Steam
2008-06-05 02:37 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-26 07:25 --------- d-----w C:\PROGRA~2\NVIDIA
2008-05-26 07:23 174 --sha-w C:\Program Files\desktop.ini
2008-05-26 07:16 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-26 07:16 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-05-26 07:16 --------- d-----w C:\Program Files\Windows Defender
2008-05-26 07:16 --------- d-----w C:\Program Files\Windows Collaboration
2008-05-26 07:16 --------- d-----w C:\Program Files\Windows Calendar
2008-04-01 20:14 99,864 ----a-w C:\Users\Administrator\AppData\Roaming\GDIPFONTCACHEV1.DAT
2008-04-01 20:14 99,864 ----a-w C:\Users\ADMINI~1\AppData\Roaming\GDIPFONTCACHEV1.DAT
2008-04-16 15:32 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-04-16 15:32 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-04-16 15:32 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 03:33 1233920]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 05:39 486856]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 03:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-06-25 06:48 67112]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2008-04-29 19:56 158624]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-12 01:28 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-12 01:28 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-12 01:28 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\Windows\system32\rqRKDvvS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{83A0A3E1-C441-4653-9CA1-8FF24A5E00CC}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{1D03721E-BB7D-4C7A-90AB-01489E0F9CF9}"= UDP:C:\Program Files\World of Warcraft\BackgroundDownloader.exe:Blizzard Downloader
"{8D129D8A-F1F2-4084-9F53-6872FA3FB0E6}"= TCP:C:\Program Files\World of Warcraft\BackgroundDownloader.exe:Blizzard Downloader
"{785E65E3-FF3E-4F02-8E8D-866F6001F3F2}"= UDP:3724:Blizzard Downloader: 3724
"{D357284F-CFC9-440C-A584-6B7557CF77B6}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{50135F36-1A3C-4CB6-82EE-E2EDF04E60E4}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"TCP Query User{4781AFF2-E47B-4262-AD4C-E117E9B474C8}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{89AAC5C5-1BEE-4358-A6B2-CEDBE1B55044}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{C260829F-5E36-4228-A645-A13B611A505D}C:\\hl2\\half-life 2\\hl2.exe"= UDP:C:\hl2\half-life 2\hl2.exe:hl2
"UDP Query User{A168CEF9-424C-450F-A97A-9934E7CBC126}C:\\hl2\\half-life 2\\hl2.exe"= TCP:C:\hl2\half-life 2\hl2.exe:hl2
"TCP Query User{2FB4ACC0-DFF6-43C0-901B-035EC9A30F9E}C:\\program files\\nero\\nero8\\nero home\\nerohome.exe"= UDP:C:\program files\nero\nero8\nero home\nerohome.exe:Nero Home
"UDP Query User{3A30E1F1-053C-4128-A470-E357FE76CD07}C:\\program files\\nero\\nero8\\nero home\\nerohome.exe"= TCP:C:\program files\nero\nero8\nero home\nerohome.exe:Nero Home
"TCP Query User{5B8FF34F-9B85-4926-9B74-78133BD4BEAF}C:\\hl2\\team fortress 2\\hl2.exe"= UDP:C:\hl2\team fortress 2\hl2.exe:hl2
"UDP Query User{64FBE914-DCB8-44A6-97EE-833F2FA0386C}C:\\hl2\\team fortress 2\\hl2.exe"= TCP:C:\hl2\team fortress 2\hl2.exe:hl2
"TCP Query User{9047EFA5-0782-4860-B3DA-40616BF4F48F}C:\\program files\\steam\\steamapps\\common\\dawn of war soulstorm demo\\soulstorm.exe"= UDP:C:\program files\steam\steamapps\common\dawn of war soulstorm demo\soulstorm.exe:Soulstorm
"UDP Query User{1E0DE4D3-3999-4A1D-A124-F15888B7D370}C:\\program files\\steam\\steamapps\\common\\dawn of war soulstorm demo\\soulstorm.exe"= TCP:C:\program files\steam\steamapps\common\dawn of war soulstorm demo\soulstorm.exe:Soulstorm
"TCP Query User{1EC1CAA6-8A11-4EC5-8263-4ED5543FA9B7}C:\\hl2\\half-life 2\\hl2.exe"= UDP:C:\hl2\half-life 2\hl2.exe:hl2
"UDP Query User{30BE4E2A-A108-4737-939C-6FAA1B0E9784}C:\\hl2\\half-life 2\\hl2.exe"= TCP:C:\hl2\half-life 2\hl2.exe:hl2
"{F6C9880F-D91C-4631-9EB9-3DACD674D854}"= inRosettaStoneLtdServices.exe:Rosetta Stone Online Component (inbound)
"{E4FEE213-9500-4E1B-B042-6B7AEEB58A25}"= RosettaStoneVersion3.exe:Rosetta Stone V3 Application (inbound)
"{53F79E76-4955-48F8-93C1-6F3C917D747F}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{82768A1E-5105-4DF6-B5FA-CF5FA2E26295}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{DFE8BF9F-9F14-4A00-9BCC-D2652BB0949A}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{55E0DE7E-6627-45BD-B812-D247244A46A6}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{402DDBD2-4F5C-4E40-9BBD-D63185B3BA35}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{7919A92F-8CF5-4FDF-93CF-A5E156229B63}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{297ACBF8-423F-4B7D-A48C-C54800FEB4E7}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4 Warlords
"{17723B45-488A-4995-BC04-CFA78AB09FD1}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4 Warlords
"{40148E21-64BB-45A6-9F74-BC899C94769E}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier's Civilization 4 Pitboss
"{4A04A620-5D8F-4D71-851F-26ADB4941239}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier's Civilization 4 Pitboss

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 OcHealthMon;Windows Live OneCare Health Monitor;C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe [2008-06-25 06:47]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 12:43]
R3 Alpham1;Ideazon ZBoard USB Human Interface Device;C:\Windows\system32\DRIVERS\Alpham1.sys [2007-07-23 07:56]
R3 Alpham2;Ideazon ZBoard MM USB Human Interface Device;C:\Windows\system32\DRIVERS\Alpham2.sys [2007-03-20 09:49]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\Windows\system32\ZuneWlanCfgSvc.exe [2008-04-29 19:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2689696-04cd-11dd-b45b-001d604a9df3}]
\shell\AutoRun\command - I:\autorun.exe
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O16 -: {17492023-C23A-453E-A040-C7C580BBF700}


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 03:49:30
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\Windows\System32\audiodg.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-07-22 3:55:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-22 07:55:10

Pre-Run: 19,654,389,760 bytes free
Post-Run: 20,982,018,048 bytes free

196 --- E O F --- 2008-07-12 16:13:55





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:03 AM, on 7/22/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/33.05/uploader2.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 5053 bytes

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 22 July 2008 - 06:50 AM

The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
For detailed instruction on how to back-up registry via ERUNT, please visit HERE




NEXT


Please copy and paste the following into a Notepad

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
  00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2689696-04cd-11dd-b45b-001d604a9df3}]

Save it in desktop as Fix.reg and in Save as type: choose All Files

A new registry file will then created on your desktop. It should look like this: Posted Image

Just double-click the file and choose Yes at prompt.

If you do not sure how to make a registry file, please visit HERE for the tutorial.




NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Please post the following logs in your next reply..

1. Malwarebytes'
2. A fresh DSS log (after Malwarebytes' step)


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Hamroc

Hamroc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 22 July 2008 - 12:10 PM

Malwarebytes' Anti-Malware 1.22
Database version: 978
Windows 6.0.6001 Service Pack 1

1:08:48 PM 7/22/2008
mbam-log-7-22-2008 (13-08-48).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 180740
Time elapsed: 1 hour(s), 56 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Deckard\System Scanner\20030721112918\backup\Users\ADMINI~1\AppData\Local\Temp\khehqrli.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\prsjeiyt.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\awnujyxm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\cfuvpflc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\cldfkswb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\hnvphuhw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\klvfuodl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\ntzfjmdc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\qkkzqfyy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\sajtzhcx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\sjrzxwgp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\stpkjynj.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\nztickhj.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\ehrcbyxi.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\adnvuzix.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\yomlgwvc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\mzkqukmk.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.







Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-22 13:09:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 20.36 GiB (less than 15%) free.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:25 PM, on 7/22/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/33.05/uploader2.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 5157 bytes

-- Files created between 2008-06-22 and 2008-07-22 -----------------------------

2008-07-22 11:07:32 0 d-------- C:\Users\All Users\Malwarebytes
2008-07-22 11:07:31 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-22 03:46:46 53248 --a------ C:\Windows\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-07-22 03:42:32 68096 --a------ C:\Windows\zip.exe
2008-07-22 03:42:32 49152 --a------ C:\Windows\VFind.exe
2008-07-22 03:42:32 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-22 03:42:32 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-22 03:42:32 98816 --a------ C:\Windows\sed.exe
2008-07-22 03:42:32 80412 --a------ C:\Windows\grep.exe
2008-07-22 03:42:32 89504 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-22 03:42:17 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-13 14:57:21 0 d-------- C:\Program Files\Google
2008-07-13 14:57:18 0 d-------- C:\Program Files\Picasa2
2008-06-30 10:10:48 0 d-------- C:\Program Files\Firaxis Games


-- Find3M Report ---------------------------------------------------------------

2008-07-22 11:07:34 0 d-------- C:\Users\Administrator\AppData\Roaming\Malwarebytes
2008-07-22 07:53:52 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-07-10 04:22:44 0 d-------- C:\Program Files\Windows Mail
2008-07-05 13:53:59 0 d-------- C:\Program Files\Starcraft
2008-07-03 12:14:40 32829 --a------ C:\Windows\scunin.dat
2008-07-03 12:14:39 967 --a------ C:\Windows\ScUnin.pif
2008-07-03 12:14:39 94208 --a------ C:\Windows\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2008-06-19 12:44:35 0 d-------- C:\Users\Administrator\AppData\Roaming\Ludia
2008-06-12 11:59:22 47104 --a------ C:\Windows\system32\KMVIDC32.DLL
2008-06-12 11:33:58 0 d-------- C:\Program Files\Team17 Software Ltd
2008-06-10 17:29:25 4096 --a------ C:\Windows\d3dx.dat
2008-06-10 17:28:59 0 d-------- C:\Program Files\ReflexiveArcade
2008-06-10 17:23:59 0 d-------- C:\Program Files\QuickTime
2008-06-10 11:11:58 0 d-------- C:\Users\Administrator\AppData\Roaming\PlayFirst
2008-06-09 12:04:25 0 d-------- C:\Program Files\DivX
2008-06-09 12:03:29 0 d-------- C:\Program Files\Common Files\Steam
2008-06-04 22:37:16 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-30 19:22:48 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 19:22:48 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 19:22:48 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 19:22:46 815104 --a------ C:\Windows\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 19:22:46 683520 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-26 03:23:22 174 --ahs---- C:\Program Files\desktop.ini
2008-05-26 03:16:05 0 d-------- C:\Program Files\Windows Sidebar
2008-05-26 03:16:05 0 d-------- C:\Program Files\Windows Photo Gallery
2008-05-26 03:16:05 0 d-------- C:\Program Files\Windows Collaboration
2008-05-26 03:16:05 0 d-------- C:\Program Files\Windows Calendar
2008-05-26 03:16:05 0 d-------- C:\Program Files\Movie Maker
2008-05-26 03:16:03 0 d-------- C:\Program Files\Windows Defender
2008-05-22 18:22:18 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-05-22 18:19:46 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-22 18:19:46 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-22 18:18:54 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll
2008-05-04 12:17:00 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [06/25/2008 06:48 AM]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [04/29/2008 07:56 PM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [09/12/2007 01:28 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [09/12/2007 01:28 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [09/12/2007 01:28 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 03:33 AM]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [04/01/2008 05:39 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/19/2008 03:33 AM]

C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\rqRKDvvS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2689696-04cd-11dd-b45b-001d604a9df3}]
AutoRun\command- I:\autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-22 13:09:47 ------------

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 22 July 2008 - 12:40 PM

Log looks good.. How is your computer?' Lets do another scan just to make sure :thumbsup:


Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Hamroc

Hamroc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 23 July 2008 - 12:44 AM

I am unable to download the activeX. It says I need IE security on medium and to be administrator and I have both of those. I ran a spybot scan and it turned up nothing and I have not had anymore problems.

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 23 July 2008 - 08:35 AM

Ok.. I believe your computer is good to go already..


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Please note that the space between x and / is needed

    Posted Image


NEXT


Lastly, to keep your operating system up to date please visit the link below monthlyTo learn more about how to protect yourself while on the internet read this excellent article by Grinler: How did I get infected?, With steps so it does not happen again!

Please also read an excellent article by miekiemoes :Help! My computer is slow!

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbsup:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Hamroc

Hamroc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 23 July 2008 - 10:28 AM

Everything seems to be running great. The computer is just as fast as the day I got it again. Thanks for all your help and for the articles you provided.

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 23 July 2008 - 10:49 AM

You are very welcome Hamroc, I'm glad that we could help.

I will now close this topic. If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users