Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pc Appears To Be Infected With Vundo, Metajuan, Infostealer And Trojan.win32.monder.zm


  • This topic is locked This topic is locked
8 replies to this topic

#1 Mark P.

Mark P.

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 29 July 2008 - 08:28 PM

First and foremost, let me apologize if my log below here was posted improperly in any way. I am new to the site here having just joined earlier today, mere hours ago. My PC appears to have been infected with trojan.vundo, .MetaJuan, Infostealer, and after doing a brief Kaspersky scan of my PC (more details later on why it was just a brief scan), a file found appearing to be associated with Trojan.Win32.Monder.zm (which may be the root problem anyway....perhaps those other trojans, etc. have made their way onto my PC VIA this one).

My PC has been in this state I think for perhaps at least 4-5 weeks, and has been getting somewhat worse with time. My hard drive at the moment is rather full, though I’ll be cleaning up further space on it soon after this problem gets taken care of. My hard drive was close to being as full as it is right now before whatever infection has taken it over, so that should not be the issue here. I use Symantec Corporate Edition Antivirus version 8.0.1.425, with completely updated virus definitions as of today's date (7-29-2008). Symantec itself has been reporting trojan.vundo, trojan.MetaJuan, and Infostealer off and on at various times here and there over the last month or more on my PC during real-time scans. A while back I downloaded Symantec's Vundo removal tool, disabled my system restore options as they suggested in their vundo removal topic, and rebooted my PC in safe mode and I ran BOTH the removal tool as well as doing a full system scan also while in safe mode. Curiously enough, the vundo removal tool detected absolutely nothing, though after running the removal tool the full system scan detected and removed several files reportedly associated with vundo. It however DID leave behind at least one .dll file in the Windows System32 folder (the file detailed shortly below in fact, ewkxrjeg.dll) that cannot be deleted through ANY method I've tried, and that includes while being in safe mode also. Whatever this infection is, it has Windows Update disabled (as I have tried over and over to reactivate W.U., without success). It also opens up Internet Explorer on my PC on it's own at various random times. Most recently in the last 2 days, just clicking on any icon on my desktop causes real-time Symantec scans to report the file below:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Vundo
File: C:\WINDOWS\system32\ewkxrjeg.dll
Location: C:\WINDOWS\system32
Computer: MARK
User: Mark P.
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Tue Jul 29 19:53:56 2008

I did an online search VIA Yahoo to find alternative options for removing vundo, and through that search I found this site here thankfully :) .

Now, dealing with the recommended/required scans here. First of all, let me say that whatever is affecting my PC has over time made IE virtually useless. Anytime I try to start up that browser, it won't even get so far as loading my homepage, and instead it will trigger additional instances of the browser, with none of them loading up correctly or completely. Therefore, running the Kaspersky scan through IE was not an option. Also affected is my Firefox browser, though to a much lesser extent compared to IE. The one and only browser I have NOT affected? Naturally it would be a browser no longer even supported, Netscape.

Kaspersky showed my java and netscape browser to be sufficient enough to run their scanning tool, however when doing either a full system (My Computer) OR even a scan of the critical areas, the scan would freeze up (that being after 2-3 tries of it, letting it try and run for 2-3 hours at a time....it kept showing the scan stalling out in the same area of the scan each time [somewhere in the windows system32 folder, if that matters at all]. Now, if I did VERY specific pointed scans of certain folders on my PC where the infections have shown up through the Symantec AV notices, then Kaspersky DID indeed detect certain items....but only if I kept the searches small and limited in scope. The more areas I tried to do in one scan, the more likely it was to 'stall out' and basically freeze up my browser. So if you wonder why I cannot do a proper full Kaspersky scanning of my PC, the problems with both IE and Firefox would be why. If those helping me would like me to try and scan certain other specific areas of my PC short of doing a full scan, let me know and if I can, then I will. I’m not sure if I’ll be able to though, just to forewarn you.

Fortunately, the DSS scan went perfectly from what I can tell, thankfully! So without further ado, let me post what results I have from the small Kaspersky scans I was able to complete, as well as the results from the DSS scan:



main.txt:

Deckard's System Scanner v20071014.68
Run by Mark P. on 2008-07-29 17:52:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-07-29 22:53:01 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 1.3 GiB (less than 15%) free.


-- HijackThis (run as Mark P.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:56 PM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\HDD Health\hddhealth.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
C:\Program Files\Ringo\Hub.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe
C:\WINDOWS\explorer.exe
C:\Download Files\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mark P.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: 205.238.40.52 www.winmx.com err.winmx.com
O1 - Hosts: 205.238.40.1 cache0.winmx.com test3201.winmx.com test3205.winmx.com
O1 - Hosts: 205.238.40.2 cache1.winmx.com test3202.winmx.com test3206.winmx.com
O1 - Hosts: 82.43.224.20 cache2.winmx.com test3203.winmx.com test3207.winmx.com
O1 - Hosts: 82.204.21.111 cache3.winmx.com test3204.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 82.204.21.111 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 82.204.21.111 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
O1 - Hosts: 82.204.21.111 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
O1 - Hosts: 82.204.21.111 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - {02082AC9-92A2-4F05-ADC2-9DE76695BBE5} - C:\WINDOWS\system32\eoruegeo.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {0CF5D165-517E-48B6-B3C7-3054A24F8BF6} - C:\WINDOWS\system32\opnmjGyv.dll
O2 - BHO: (no name) - {1F632004-FEA2-47F2-B8FD-81EE039D0C9A} - C:\Documents and Settings\Mark P\Local Settings\Temporary Internet Files\Content.IE5\PI789HLP\3077ahntdksr[2].dll (file missing)
O2 - BHO: {5f1f2e88-259f-b60a-9884-b0cccfc74822} - {22847cfc-cc0b-4889-a06b-f95288e2f1f5} - C:\WINDOWS\system32\gsyhlh.dll
O2 - BHO: (no name) - {D4751F22-EE82-4C03-A3BB-F9B564B9A716} - C:\WINDOWS\system32\qOIcbBUM.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [e0beb261] rundll32.exe "C:\WINDOWS\system32\cjfaqqhs.dll",b
O4 - HKLM\..\Run: [BMe38d81fd] Rundll32.exe "C:\WINDOWS\system32\monkwfmu.dll",s
O4 - HKLM\..\RunServices: [Windows Sound] svdhost.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Screen-Cut] "C:\Program Files\Screen-Cut\Screen-Cut.exe" -quiet
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [HDDHealth] C:\Program Files\HDD Health\hddhealth.exe -wl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: Framework.exe.lnk = C:\Program Files\Windows Media Player\Framework.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: Ringo Launcher.lnk = C:\Program Files\Ringo\Hub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mark P\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1141327670687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144870238968
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - AppInit_DLLs: ewkxrjeg.dll
O20 - Winlogon Notify: opnmjGyv - C:\WINDOWS\SYSTEM32\opnmjGyv.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe

--
End of file - 17591 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 kbfilter (Keyboard Filter Driver) - c:\windows\system32\drivers\kbfilter.sys <Not Verified; WayTech Development, Inc.; Keyboard filter driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.7.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.7.0>
R2 procguard - c:\windows\system32\drivers\procguard.sys
R3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>

S3 AR5416 (D-Link RangeBooster N Service) - c:\windows\system32\drivers\ar5416.sys <Not Verified; Atheros Communications, Inc.; Atheros AR5008 Wireless Network Adapter>
S3 PNDIS5 (PNDIS5 NDIS Protocol Driver) - d:\pndis5.sys (file missing)
S3 xbreader (MaxDrive XBox Driver (xbreader.sys)) - c:\windows\system32\drivers\xbreader.sys <Not Verified; Thesycon GmbH, Germany; Universal USB Device Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ACS (Atheros Configuration Service) - c:\program files\d-link\d-link rangebooster n dwa-542\acs.exe <Not Verified; Atheros; Atheros Configuration Service (ACS)>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 DCSPGSRV (DiamondCS Process Guard Service v3.000) - "c:\program files\processguard\dcsuserprot.exe" <Not Verified; DiamondCS; DiamondCS Usermode Aspect>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 SandraDataSrv (Sandra Data Service) - c:\program files\sisoftware\sisoftware sandra lite 2007\win32\rpcdatasrv.exe <Not Verified; SiSoftware; SiSoftware Sandra 2007 r3>
S3 SandraTheSrv (Sandra Service) - c:\program files\sisoftware\sisoftware sandra lite 2007\rpcsandrasrv.exe <Not Verified; SiSoftware; SiSoftware Sandra 2007 r3>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: Intel® 82845G/GL/GE/PE/GV Graphics Controller
Device ID: PCI\VEN_8086&DEV_2562&SUBSYS_90161509&REV_03\3&13C0B0C5&0&10
Manufacturer: Intel Corporation
Name: Intel® 82845G/GL/GE/PE/GV Graphics Controller
PNP Device ID: PCI\VEN_8086&DEV_2562&SUBSYS_90161509&REV_03\3&13C0B0C5&0&10
Service: ialm

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: D-Link RangeBooster N
Device ID: PCI\VEN_168C&DEV_0023&SUBSYS_3A691186&REV_86\4&1A671D0C&0&00F0
Manufacturer: Atheros
Name: D-Link RangeBooster N
PNP Device ID: PCI\VEN_168C&DEV_0023&SUBSYS_3A691186&REV_86\4&1A671D0C&0&00F0
Service: AR5416


-- Scheduled Tasks -------------------------------------------------------------

2008-07-26 11:24:28 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-29 17:56:11 0 d-------- C:\Program Files\Trend Micro
2008-07-29 13:49:22 95744 --a------ C:\WINDOWS\system32\gsyhlh.dll
2008-07-29 13:49:21 95744 --a------ C:\WINDOWS\system32\vqgxurmv.dll
2008-07-29 13:46:21 81920 --a------ C:\WINDOWS\system32\cjfaqqhs.dll
2008-07-29 13:43:29 90624 --a------ C:\WINDOWS\system32\monkwfmu.dll
2008-07-29 10:38:53 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-29 10:38:53 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-29 10:38:53 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-29 10:38:53 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-29 10:38:53 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-29 10:38:53 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-29 10:38:53 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-29 10:38:53 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-29 10:38:53 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-29 10:38:53 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-29 10:38:53 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-29 10:38:53 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-29 10:38:53 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-29 10:38:53 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-28 01:04:02 96256 --a------ C:\WINDOWS\system32\ceuebt.dll
2008-07-28 01:04:01 96256 --a------ C:\WINDOWS\system32\jesgpoiv.dll
2008-07-28 01:01:36 89088 --a------ C:\WINDOWS\system32\epdgumue.dll
2008-07-28 00:58:03 96256 --a------ C:\WINDOWS\system32\yriopf.dll
2008-07-28 00:58:02 96256 --a------ C:\WINDOWS\system32\tlhtpojg.dll
2008-07-28 00:55:02 89088 --a------ C:\WINDOWS\system32\wncphnvt.dll
2008-07-27 00:57:23 96256 --a------ C:\WINDOWS\system32\npkdxy.dll
2008-07-27 00:57:22 96256 --a------ C:\WINDOWS\system32\dwolreti.dll
2008-07-27 00:54:23 89600 --a------ C:\WINDOWS\system32\eqoutadr.dll
2008-07-26 00:54:11 95744 --a------ C:\WINDOWS\system32\zielea.dll
2008-07-26 00:54:10 95744 --a------ C:\WINDOWS\system32\lrhwkgmq.dll
2008-07-26 00:51:31 91136 --a------ C:\WINDOWS\system32\dlshtkjx.dll
2008-07-25 00:58:57 94208 --a------ C:\WINDOWS\system32\pizbzu.dll
2008-07-25 00:58:56 94208 --a------ C:\WINDOWS\system32\yuyquapf.dll
2008-07-25 00:52:55 90624 --a------ C:\WINDOWS\system32\rnckyfjs.dll
2008-07-25 00:49:40 94208 --a------ C:\WINDOWS\system32\wfmeos.dll
2008-07-25 00:49:39 94208 --a------ C:\WINDOWS\system32\tglmpaae.dll
2008-07-25 00:46:39 90624 --a------ C:\WINDOWS\system32\esnlmckw.dll
2008-07-23 00:48:01 96256 --a------ C:\WINDOWS\system32\judgfz.dll
2008-07-23 00:47:59 96256 --a------ C:\WINDOWS\system32\lofsbrca.dll
2008-07-22 00:43:30 95232 --a------ C:\WINDOWS\system32\likxfz.dll
2008-07-22 00:43:27 95232 --a------ C:\WINDOWS\system32\mtriwfqf.dll
2008-07-22 00:43:03 90112 --a------ C:\WINDOWS\system32\udxieets.dll
2008-07-13 20:42:02 93208 --a------ C:\WINDOWS\system32\pghash.dat
2008-07-13 20:42:00 127908 --a------ C:\WINDOWS\system32\pguard.dat
2008-07-11 09:56:25 49664 --a------ C:\WINDOWS\system32\fhtlcjpk.dll
2008-07-10 09:59:25 49664 --a------ C:\WINDOWS\system32\clnlsple.dll
2008-07-09 09:56:31 49664 --a------ C:\WINDOWS\system32\vhjdvrsq.dll
2008-07-08 16:09:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-07-08 09:55:32 49664 --a------ C:\WINDOWS\system32\xdtefffw.dll
2008-07-04 17:14:57 112347130 --a----c- C:\SYM_REGISTRY_BACKUP.reg
2008-07-01 02:04:13 106496 --a------ C:\WINDOWS\system32\procguard.dll
2008-07-01 02:04:13 24911 --a------ C:\WINDOWS\system32\drivers\procguard.sys
2008-07-01 02:04:10 0 d-------- C:\Program Files\ProcessGuard
2008-07-01 01:51:23 0 d-------- C:\Program Files\mm.BOT


-- Find3M Report ---------------------------------------------------------------

2008-07-29 17:55:17 874929 --ahs---- C:\WINDOWS\system32\MUBbcIOq.ini2
2008-07-29 17:13:31 0 d-------- C:\Program Files\mIRC
2008-07-28 19:55:09 0 d-------- C:\Documents and Settings\Mark P\Application Data\Azureus
2008-07-28 18:54:30 0 d-------- C:\Program Files\Diablo II
2008-07-12 15:02:55 95190 --a----c- C:\WINDOWS\DIIUnin.dat
2008-07-08 16:09:22 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-08 16:03:32 0 d-------- C:\Documents and Settings\Mark P\Application Data\AdobeUM
2008-07-08 15:40:52 0 d-------- C:\Program Files\Mozilla Firefox 3
2008-06-23 12:03:33 105984 -----n--- C:\WINDOWS\system32\ewkxrjeg.dll
2008-06-23 06:25:58 0 d-------- C:\Program Files\Azureus
2008-06-17 20:00:11 0 d-------- C:\Documents and Settings\Mark P\Application Data\Mozilla
2008-06-17 13:26:57 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-11 07:11:24 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-06-11 01:32:09 2528 --a------ C:\Documents and Settings\Mark P\Application Data\$_hpcst$.hpc
2008-06-11 01:26:39 0 d-------- C:\Program Files\Windows Mobile Device Handbook
2008-06-02 00:21:31 0 d-------- C:\Program Files\Common Files\Scanner
2008-05-31 17:34:47 0 d-------- C:\Documents and Settings\Mark P\Application Data\U3
2008-05-30 23:51:24 0 d-------- C:\Program Files\Lavasoft
2008-05-30 23:50:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-30 23:41:11 0 d-------- C:\Program Files\Dream Aquarium
2008-05-30 23:32:59 59392 --a------ C:\WINDOWS\system32\qoMghFuS.dll
2008-05-30 23:29:54 58368 --a------ C:\WINDOWS\system32\yayxvVLC.dll
2008-05-30 23:29:21 0 d-------- C:\Program Files\Webteh
2008-05-30 23:28:32 58368 --a------ C:\WINDOWS\system32\iiffEtqq.dll
2008-05-25 05:56:27 370688 --a------ C:\WINDOWS\system32\qOIcbBUM.dll
2008-05-25 05:51:14 58880 --a------ C:\WINDOWS\system32\opnmjGyv.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02082AC9-92A2-4F05-ADC2-9DE76695BBE5}]
C:\WINDOWS\system32\eoruegeo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CF5D165-517E-48B6-B3C7-3054A24F8BF6}]
05/25/2008 05:51 AM 58880 --a------ C:\WINDOWS\system32\opnmjGyv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F632004-FEA2-47F2-B8FD-81EE039D0C9A}]
C:\Documents and Settings\Mark P\Local Settings\Temporary Internet Files\Content.IE5\PI789HLP\3077ahntdksr[2].dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22847cfc-cc0b-4889-a06b-f95288e2f1f5}]
07/29/2008 01:49 PM 95744 --a------ C:\WINDOWS\system32\gsyhlh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4751F22-EE82-4C03-A3BB-F9B564B9A716}]
05/25/2008 05:56 AM 370688 --a------ C:\WINDOWS\system32\qOIcbBUM.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMC_AutoUpdate"="" []
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 01:00 AM]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [12/03/2002 06:06 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/28/2007 10:35 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/01/2007 03:57 PM]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [04/09/2003 04:08 PM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [10/11/2007 01:06 PM]
"HydraVisionDesktopManager"="C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [09/15/2003 09:00 PM]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [09/17/2003 10:43 AM]
"CTHelper"="CTHELPER.EXE" [04/09/2007 12:32 PM C:\WINDOWS\system32\CtHelper.exe]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [06/18/2003 01:00 AM]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [11/16/2007 08:20 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [03/03/2004 12:00 PM]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [01/23/2008 11:22 PM]
"!1_pgaccount"="C:\Program Files\ProcessGuard\pgaccount.exe" [01/20/2005 02:14 PM]
"e0beb261"="C:\WINDOWS\system32\cjfaqqhs.dll" [07/29/2008 01:46 PM]
"BMe38d81fd"="C:\WINDOWS\system32\monkwfmu.dll" [07/29/2008 01:43 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [11/30/2006 10:49 PM]
"Screen-Cut"="C:\Program Files\Screen-Cut\Screen-Cut.exe" [08/04/2007 03:23 PM]
"SB Audigy 2 Startup Menu"="C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE" [11/13/2002 01:00 AM]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [10/08/2003 04:35 PM]
"HDDHealth"="C:\Program Files\HDD Health\hddhealth.exe" [06/17/2003 01:37 PM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 01:39 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [06/27/2007 07:03 PM]
"!1_ProcessGuard_Startup"="C:\Program Files\ProcessGuard\procguard.exe" [01/20/2005 02:24 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Windows Sound"=svdhost.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0CF5D165-517E-48B6-B3C7-3054A24F8BF6}"= C:\WINDOWS\system32\opnmjGyv.dll [05/25/2008 05:51 AM 58880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmjGyv]
opnmjGyv.dll 05/25/2008 05:51 AM 58880 C:\WINDOWS\system32\opnmjGyv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=ewkxrjeg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\qOIcbBUM

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3d247d4-2f60-11dd-bd4b-0040ca83bdf7}]
AutoRun\command- J:\LaunchU3.exe -a

*Newly Created Service* - AD-WATCH_REAL-TIME_SCANNER



-- Hosts -----------------------------------------------------------------------

205.238.40.52 www.winmx.com err.winmx.com
205.238.40.1 cache0.winmx.com test3201.winmx.com test3205.winmx.com
205.238.40.2 cache1.winmx.com test3202.winmx.com test3206.winmx.com
82.43.224.20 cache2.winmx.com test3203.winmx.com test3207.winmx.com
82.204.21.111 cache3.winmx.com test3204.winmx.com test3208.winmx.com
205.238.40.1 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
205.238.40.1 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
205.238.40.1 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
205.238.40.2 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
205.238.40.2 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com

15 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-29 17:59:51 ------------


and the the results from
extra.txt:


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.66GHz
Percentage of Memory in Use: 27%
Physical Memory (total/avail): 2039.48 MiB / 1476.36 MiB
Pagefile Memory (total/avail): 2646.12 MiB / 2246.02 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1923.14 MiB

C: is Fixed (NTFS) - 111.78 GiB total, 1.3 GiB free.
D: is CDROM (No Media)
E: is Fixed (FAT32) - 232.82 GiB total, 0.01 GiB free.
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1200BB-22FTA0 - 111.79 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 111.78 GiB - C:

\\.\PHYSICALDRIVE1 - Datel Max Memory USB Device - 7.81 MiB - 0 partitions

\\.\PHYSICALDRIVE2 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE3 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE4 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE5 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE6 - ST325062 3A USB Device - 232.88 GiB - 1 partition
\PARTITION0 - Extended w/Extended Int 13 - 232.88 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntivirusOverride is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007\\sandra.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007\\sandra.exe:*:Enabled:SiSoftware Sandra Lite"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007\\RpcSandraSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Lite"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007\\Win32\\RpcDataSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007\\Win32\\RpcDataSrv.exe:*:Enabled:SiSoftware Sandra Lite"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application"
"C:\\Program Files\\Kazaa Lite Resurrection\\kazaalite.kpp"="C:\\Program Files\\Kazaa Lite Resurrection\\kazaalite.kpp:*:Enabled:kazaalite"
"D:\\Setup.exe"="D:\\Setup.exe:*:Enabled:Setup Wizard of WRE54G"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\EA GAMES\\MOHAA\\moh_Breakthrough.exe"="C:\\Program Files\\EA GAMES\\MOHAA\\moh_Breakthrough.exe:*:Enabled:Medal of Honor Allied Assault™ Breakthrough"
"C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"="C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe:*:Enabled:Medal of Honor Allied Assault™"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:YServer Module"
"C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"="C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe:*:Enabled:Nero ShowTime"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007\\sandra.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007\\sandra.exe:*:Enabled:SiSoftware Sandra Lite"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007\\RpcSandraSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Lite"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007\\Win32\\RpcDataSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007\\Win32\\RpcDataSrv.exe:*:Enabled:SiSoftware Sandra Lite"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Pure Networks\\Network Magic\\nmsrvc.exe"="C:\\Program Files\\Pure Networks\\Network Magic\\nmsrvc.exe:LocalSubNet:Enabled:Pure Networks Network Magic Service"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\LimeWire 4.12.4\\LimeWire.exe"="C:\\Program Files\\LimeWire 4.12.4\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Diablo II\\D2Loader-1.11b.exe"="C:\\Program Files\\Diablo II\\D2Loader-1.11b.exe:*:Enabled:Diablo II"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"
"C:\\Program Files\\RedlightCenter\\RedLightCenter\\Redlightcenter.exe"="C:\\Program Files\\RedlightCenter\\RedLightCenter\\Redlightcenter.exe:*:Enabled:Redlightcenter"
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD"
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe:*:Enabled:Nero ShowTime"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Mark P\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MARK
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Mark P
LOGONSERVER=\\MARK
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\PROGRA~1\Java\JRE15~2.0_0\bin;C:\Program Files\\Netscape\\Netscape Browser;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\;.
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0303
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MARKPU~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\MARKPU~1\LOCALS~1\Temp
USERDOMAIN=MARK
USERNAME=Mark P
USERPROFILE=C:\Documents and Settings\Mark P
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Mark P (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBAudigy2ZS\Program\Ctzapxx.EXE" /W /U /S
--> C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1888DAFD-C634-4BC4-865C-3455E24F6177}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1888DAFD-C634-4BC4-865C-3455E24F6177}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5933921D-4253-40B6-B4D9-B7D680F1B6EC}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5933921D-4253-40B6-B4D9-B7D680F1B6EC}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDC05F7-83E4-4611-AD3C-A6EB2100332A}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDC05F7-83E4-4611-AD3C-A6EB2100332A}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72A810B1-EE62-455A-A086-E1C9FEDE7F29}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72A810B1-EE62-455A-A086-E1C9FEDE7F29}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{77ACE67A-0D21-4CEF-8A97-ED20A61B978B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{77ACE67A-0D21-4CEF-8A97-ED20A61B978B}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{869D88A5-BD6C-4E39-8536-D95259EAD7E8}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{869D88A5-BD6C-4E39-8536-D95259EAD7E8}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{87499F38-FD69-4A2B-B41A-BAB8DE9B94FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{881A74B3-3D17-4842-B9AF-0761C6E6C4B5}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{881A74B3-3D17-4842-B9AF-0761C6E6C4B5}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3549608-69D3-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3549608-69D3-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5BAAFAE-3561-463D-8E3F-91761A57ADB8}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5BAAFAE-3561-463D-8E3F-91761A57ADB8}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD549B7B-3532-4160-80D4-3E3DD39A9AE5}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD549B7B-3532-4160-80D4-3E3DD39A9AE5}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"
Action Replay XBOX 1.42 --> "C:\Program Files\Datel\Action Replay XBOX\unins000.exe"
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
Altdo Video Converter Diamond 1.4 --> "C:\Program Files\Altdo Video Converter Diamond\unins000.exe"
Amadis Video Converter Suite V1.0.0 --> "C:\Program Files\Amadis Software\Amadis Video Converter Suite\unins000.exe"
Anyzip (remove only) --> C:\Program Files\AnyZip\Uninst.exe
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Mobile Device Support --> MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ArcSoft MediaConverter 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1B15D991-5619-4BC1-B71E-3DE793B792FC}\setup.exe" -l0x9
AsfTools 3.1 (remove only) --> C:\Program Files\AsfTools 3.1\Uninst.exe
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{083F79E4-6FE9-46FB-A6C6-4F8862742947}\setup.exe"
AutoIt v3.1.1 --> C:\Program Files\AutoIt3\Uninstall.exe
Azureus --> C:\Program Files\Azureus\Uninstall.exe
BitComet 0.71 --> C:\Program Files\BitComet\uninst.exe
BitTorrent 4.22.1 --> "C:\Program Files\BitTorrent\uninstall.exe"
BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll"
BS.Player PRO --> "C:\Program Files\Webteh\BSplayerPro\uninstall.exe"
CamStudio --> C:\Program Files\CamStudio\uninstall.exe
Canon iP1600 --> C:\WINDOWS\system32\CNMCP75.exe "-PRINTERNAMECanon iP1600" "-HELPERDLLC:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP1600 Installer\Inst2\cnmis.dll" "-RCDLLcnmi0409.dll"
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
Coupon Printer for Windows --> "C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{87499F38-FD69-4A2B-B41A-BAB8DE9B94FE}\setup.exe" -l0x9 /remove
D-Link AirPlus G Wireless LAN Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5749E57-AD4A-4B1B-ABC5-885FDBC286C9}\Setup.exe" -l0x9
D-Link RangeBooster N DWA-542 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6F6F39E3-D24D-4EEE-9AEA-DEDAF991385D}\setup.exe" -l0x9 -removeonly
Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
DiamondCS ProcessGuard v3.150 --> "C:\Program Files\ProcessGuard\unins000.exe"
Dominoes, Win42, and WinMoon --> C:\PROGRA~1\Games\Dominoes\UNWISE.EXE C:\PROGRA~1\Games\Dominoes\INSTALL.LOG
Dream Aquarium --> "C:\Program Files\Dream Aquarium\UnInstall.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
DVDx 2.3 --> "C:\Program Files\DVDx\unins000.exe"
Dziobas Rar Player 0.007PL --> "C:\Program Files\Dziobas Rar Player\unins000.exe"
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
FLAC Installer 1.1.2a (remove only) --> C:\Program Files\FLAC\uninstall.exe
FlyingFinn's NFL 2k5 Gamesave Editor --> MsiExec.exe /X{9CAEF6AD-9001-47A5-A87C-235B9EF37BF8}
Guild Wars --> "C:\Program Files\Guild Wars\Gw.exe" -uninstall
HDD Health v2.0 Final Release --> "C:\Program Files\HDD Health\unins000.exe"
Hello (remove only) --> "C:\Program Files\Hello\Uninstall.exe"
Hero Editor V0.90 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Diablo II Hero Editor\ST6UNST.LOG"
Hero Editor V0.96 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Diablo II\Hero Editor v0.96\ST6UNST.LOG"
Hidden Emoticons for Yahoo! Messenger 6 --> C:\Program Files\Yahoo!\YHsmiles\uninst.exe
IMVU Avatar Chat Software --> C:\Program Files\IMVU\Uninstall.exe
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Intel® Processor ID Utility --> MsiExec.exe /X{A92A4DB0-CD37-42D1-BE1D-603D53C24328}
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
K-Lite Codec Pack 2.20 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kazaa Lite Resurrection 0.0.7.6 F --> "C:\Program Files\Kazaa Lite Resurrection\unins000.exe"
LimeWire 4.12.6 --> "C:\Program Files\LimeWire 4.12.4\uninstall.exe"
LiveUpdate 1.7 (Symantec Corporation) --> C:\Program Files\\Symantec\LiveUpdate\LSETUP.EXE /U
Logitech Gaming Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C1DA723-24FC-48AD-93BA-925695C3EF26}\setup.exe" -l0x9 -removeonly
Memento LE --> MsiExec.exe /I{0C1470B9-E23D-41BB-B944-CADB2B9EB6F1}
Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Sounds --> MsiExec.exe /I{10CE1EA2-12E9-11D3-825E-00C04F6843FE}
Microsoft Producer for Microsoft Office PowerPoint 2003 --> MsiExec.exe /I{155FBB0D-0EE9-42D1-9E41-15E08F691033}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft WorldWide Telescope --> MsiExec.exe /I{F9C80FE8-DB25-4EE5-AE6D-4332FB0E8B83}
mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall
mm.BOT --> "C:\WINDOWS\mm.BOT\uninstall.exe" "/U:C:\Program Files\mm.BOTv5.44Bu6\Uninstall\uninstall.xml"
mm.BOT --> "C:\WINDOWS\mm.BOT\uninstall.exe" "/U:C:\WINDOWS\mm.BOT\uninstall.xml"
mm.BOT --> "C:\WINDOWS\mm.BOT\uninstall.exe" "/U:C:\WINDOWS\mm.BOT\uninstall.xml"
MOTO Q 9h Device Handbook --> C:\Program Files\Windows Mobile Device Handbook\Windows Mobile Device Handbook\Bin\DHUninstall.exe
Movkit Batch Video Converter 2.5 --> "C:\Program Files\Movkit Batch Video Converter\unins000.exe"
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox 3\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
MXpie Patch for WinMX Network/WPNP 3.3.3.4 --> C:\Program Files\MXpie Patch\MXpie_Uninstaller.exe
Nero 7 Ultra Edition --> MsiExec.exe /X{847CAE64-4CD2-4B2D-AF00-978FF5431033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Netscape Browser (remove only) --> "C:\Program Files\\Netscape\\Netscape Browser\NSUninst.exe"
Oblivion --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x9 -removeonly
Opera --> C:\PROGRA~1\Opera\uninst\unwise.exe C:\PROGRA~1\Opera\uninst\install.log
PFConfig 1.0.144 --> C:\Program Files\PFConfig\uninst.exe
Photo Resize Magic 1.1 --> C:\Program Files\Photo Resize Magic\uninst.exe
PowerDVD Ultra --> "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -l0x000409 /z-uninstall
Quick Screen Recorder 1.5 --> "C:\Program Files\Quick Screen Recorder\unins000.exe"
Quick Screenshot Maker 2.1 --> "C:\Program Files\Quick Screenshot Maker\unins000.exe"
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Real Alternative 1.48 --> "C:\Program Files\Real Alternative\unins000.exe"
RedLightCenter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35C73A54-1428-4893-B041-58AA594F4ACD}\setup.exe" -l0x9
Resize Pictures Plus 1.1 --> "C:\Program Files\Resize Pictures Plus\unins000.exe"
Ringo Companion --> C:\PROGRA~1\Ringo\UNWISE.EXE C:\PROGRA~1\Ringo\INSTALL.LOG
Screen-Cut --> MsiExec.exe /I{84170F62-DE16-4FFA-BCF3-B13C17465AAE}
SD Weather Lab 6.1 --> "C:\WINDOWS\SD Weather Lab 6.1\uninstall.exe" "/U:C:\Program Files\SD Weather Lab 6.1\Uninstall\uninstall.xml"
SiSoftware Sandra Lite 2007 (Win64/32/CE) --> "C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\unins000.exe"
SnagIt 8 --> MsiExec.exe /I{524228C9-826F-4B58-9E47-4F2E5C7E9F45}
Sound Blaster Audigy 2 ZS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E2514D9-DC24-4634-B348-61F3EF0F1628}\SETUP.EXE" -l0x9
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Symantec AntiVirus Client --> MsiExec.exe /X{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}
TechSmith EnSharpen --> C:\Program Files\TechSmith\EnSharpen\UNWISE.EXE /U /Z "C:\Program Files\TechSmith\EnSharpen\INSTALL.LOG"
TMPGEnc Plus 2.521.58.169 --> "C:\Program Files\TMPGEnc Plus\unins000.exe"
Trivia Machine --> C:\Program Files\Trivia Machine\UNWISE.EXE C:\Program Files\Trivia Machine\INSTALL.LOG
Trixie --> MsiExec.exe /I{8EEA1427-5C0D-469F-9FC6-A622A99D98EB}
U2 Screen Saver --> sstunst2.exe U2
Video Strip Poker Classic --> C:\Program Files\Video Strip Poker\uninstall.exe C:\Program Files\Video Strip Poker\
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinMoon --> C:\PROGRA~1\Games\Dominoes\UNWISE.EXE C:\PROGRA~1\Games\Dominoes\INSTALL.LOG
WinMX --> C:\Program Files\WinMX\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRar\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Wireless Keyboard and Mouse --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Wireless Device\Wireless Keyboard\uninst.isu" -c"C:\Program Files\Wireless Device\Wireless Keyboard\UnInst.dll"
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE


-- Application Event Log -------------------------------------------------------

Event Record #/Type9766 / Error
Event Submitted/Written: 07/29/2008 01:25:35 PM
Event ID/Source: 5 / Norton AntiVirus
Event Description:
Virus Found!Virus name: Trojan.Vundo in File: C:\WINDOWS\system32\ewkxrjeg.dll by: Realtime Protection scan. Action: Clean failed : Quarantine failed : Access denied

Event Record #/Type9762 / Warning
Event Submitted/Written: 07/29/2008 01:25:21 PM
Event ID/Source: 32068 / Microsoft Fax
Event Description:
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'

Event Record #/Type9761 / Warning
Event Submitted/Written: 07/29/2008 01:25:21 PM
Event ID/Source: 32026 / Microsoft Fax
Event Description:
Fax Service failed to initialize any assigned fax devices (virtual or TAPI).
No faxes can be sent or received until a fax device is installed.

Event Record #/Type9758 / Warning
Event Submitted/Written: 07/29/2008 01:25:14 PM
Event ID/Source: 1015 / EvntAgnt
Event Description:
TraceLevel parameter not located in registry;
Default trace level used is 32.

Event Record #/Type9757 / Warning
Event Submitted/Written: 07/29/2008 01:25:14 PM
Event ID/Source: 1003 / EvntAgnt
Event Description:
TraceFileName parameter not located in registry;
Default trace file used is .



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1100 / Error
Event Submitted/Written: 07/29/2008 05:55:51 PM
Event ID/Source: 1 / sr
Event Description:
The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'desktop.ini' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

Event Record #/Type1085 / Error
Event Submitted/Written: 07/29/2008 05:12:16 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The HTTP SSL service failed to start due to the following error:
%%1053

Event Record #/Type1084 / Error
Event Submitted/Written: 07/29/2008 05:12:16 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the HTTP SSL service to connect.

Event Record #/Type1063 / Error
Event Submitted/Written: 07/29/2008 05:10:25 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The PfModNT service failed to start due to the following error:
%%2

Event Record #/Type1028 / Error
Event Submitted/Written: 07/29/2008 01:25:14 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The PfModNT service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-07-29 17:59:51 ------------


and now the brief Kaspersky scan results that I have:


Kaspersky Log 1 (2008-07-29).txt:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 29, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 29, 2008 19:51:46
Records in database: 1023975
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - File:
C:\WINDOWS\system32\ewkxrjeg.dll

Scan statistics:
Files scanned: 1
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:00:01


File name / Threat name / Threats count
C:\WINDOWS\system32\ewkxrjeg.dll Infected: Trojan.Win32.Monder.zm 1

The selected area was scanned.

and also, a second scan from a different area that I knew has been a problem:


Kaspersky Log 2 (2008-07-29).txt:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 29, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 29, 2008 19:51:46
Records in database: 1023975
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
C:\Documents and Settings\Mark P\Local Settings

Scan statistics:
Files scanned: 2843
Threat name: 4
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 00:02:54


File name / Threat name / Threats count
C:\Documents and Settings\Mark P\Local Settings\Temporary Internet Files\Content.IE5\4NF45X66\kb671231[1] Infected: Trojan.Win32.Monder.bbw 1
C:\Documents and Settings\Mark P\Local Settings\Temporary Internet Files\Content.IE5\4NF45X66\kb671231[2] Infected: Trojan.Win32.Monder.bbw 1
C:\Documents and Settings\Mark P\Local Settings\Temporary Internet Files\Content.IE5\6YHHPLOX\kb671231[1] Infected: Trojan.Win32.Monder.awm 1
C:\Documents and Settings\Mark P\Local Settings\Temporary Internet Files\Content.IE5\B0NSHNR8\AV2009Install_77052201[1].exe Infected: Trojan-Downloader.Win32.FraudLoad.varq 1
C:\Documents and Settings\Mark P\Local Settings\Temporary Internet Files\Content.IE5\PI789HLP\kb671231[2] Infected: Trojan.Win32.Monder.awj 1

The selected area was scanned.



Whew! Well, I hope that covers all evidence that I can supply at this time :) . Thanks in advance to whoever takes a look at this, your help is very appreciated :thumbsup: !!!

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:24 AM

Posted 30 July 2008 - 03:02 PM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Mark P.

Mark P.
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 31 July 2008 - 12:57 PM

Thank you for the help already. I can already see significant progress with my PC. No viruses have been detected/reported since I re-enabled Symantec Corp. AV scanning following the running of ComboFix. Also, finally for the first time in weeks, it seems as if I can use Internet Explorer normally again, without issues as far as I can tell thus far. There are still a few oddities and problems left that I have observed however, but this is of course to be expected I'm sure. One of the strange things I noticed which I can tell is likely to be expected, is following the rebooting of my PC while I was running ComboFix, upon restart 2 error messages popped up (my apologies for not having them word for word, but basically they dealt with 2 "missing" files not found in the windows system32 folder....formerly associated with my PC's infection I'm sure). I also installed the Windows XP Recovery console as requested.

I realized that I think I did leave out a VERY important bit of helpful info in my previous post, though I think that the logs from the DSS/HijackThis scans showed it. This would be the fact that Windows Update is not properly working and has been disabled by the infection my PC had. Let me describe what happens when I try to go to the Windows Update website. It gives me the message and directions below:

[Error number: 0x80070422]

The site cannot continue because one or more of these Windows services is not running:
* Automatic Updates (allows the site to find, download and install high-priority updates for your computer)
* Background Intelligent Transfer Service (BITS) (helps updates download more quickly and without problems if the download process is interrupted)
* Event Log (keeps a record of updating activities to help with troubleshooting, if needed)
To make sure these services are running:
1. Click Start, and then click Run.
2. Type services.msc and then click OK.
3. In the list of services, double-click on Automatic Updates and then click Properties.
4. In the Startup type list, select Automatic and click Apply.
5. Verify that the Service status is started, if the Service Status is Stopped click on the Start Button.
6. In the list of services, double-click on Background Intelligent Transfer Service (BITS) and then click Properties.
7. In the Startup type list, select Manual and click Apply.
8. Verify that the Service status is started, If the Service Status is Stopped click on the Start Button.
9. In the list of services, double-click on Event Log and then click Properties.
10. In the Startup type list, select Automatic and click Apply.
11. Verify that the Service status is started, If the Service Status is Stopped click on the Start Button.
If this does not resolve the problem you may request help from one of the following resources.

Now BITS and the event log are enabled and running properly as they both should according to the information above, and I have checked this to be true. However, when I try to follow the instructions for starting Automatic Updates again, I CAN set it back to automatic again finally (I couldn't do this before, the infection would constantly keep disabling AU right after I would enable it automatically). Now though that it is set back to automatic, it says that it is not started when I try to click 'start' to reactivate it, and I get the following error message:

"Could not start the Automatic Updates service on Local Computer.

Error 1058: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it."

In my case, it appears to me to be no devices enabled for it, because when I checked out the 'dependencies' tab under Automatic Updates Properties, the details show that there are no program/file dependencies currently set up at all for the AU service. Perhaps it was not necessary to report all of this above, but from everything I have read here, it seems the more information I can supply to pinpoint any problems that I'm having, the better (EDIT!!!: Well, I guess persistence pays off, because after a few more tries, the Windows Updates service seems to now be turned back on :) ! It is searching for recent updates from Microsoft as I speak right now)...(EDIT #2: I spoke too soon, some windows updates did indeed work and get installed properly, but for some mysterious reason, service pack 3 would not install....during the middle of it's installation I got an error saying "Service Pack 3 - Access Denied". I'm not sure if this is due to my previous prior problems with vundo et. al., or if this is another issue entirely. I tried to install it once and that's all I'm going to try for now.).

Now, as requested I have obviously ran ComboFix and its log results are included below. As far as a HijackThis log though....that step was a bit more confusing to me since I'm new to this forum. Was I supposed to fully run another DSS scan (which I did before as requested when preparing a totally new topic) and post log results from that? Or, should I simply run HijackThis by itself and post its log results? I took this to mean run HijackThis alone only, so that's what I did, and its log results are included below. If I should have instead ran the full DSS scan and posted those results, then let me know. So without further delay, here are the results from the scans :) :


Here is the ComboFix log:

ComboFix 08-07-29.1 - Mark P 2008-07-30 23:53:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1453 [GMT -5:00]
Running from: C:\Documents and Settings\Mark P\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark P\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mark P\Application Data\macromedia\Flash Player\#SharedObjects\X44FVP6X\interclick.com
C:\Documents and Settings\Mark P\Application Data\macromedia\Flash Player\#SharedObjects\X44FVP6X\interclick.com\ud.sol
C:\Documents and Settings\Mark P\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Mark P\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\BMe38d81fd.txt
C:\WINDOWS\BMe38d81fd.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\abbirsgs.dll
C:\WINDOWS\system32\ahdfsaii.ini
C:\WINDOWS\system32\ahsktnpl.ini
C:\WINDOWS\system32\bawraofi.ini
C:\WINDOWS\system32\bcjmcxcu.ini
C:\WINDOWS\system32\bjijosvh.ini
C:\WINDOWS\system32\bnxgxccq.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\ceuebt.dll
C:\WINDOWS\system32\cjfaqqhs.dll
C:\WINDOWS\system32\clnlsple.dll
C:\WINDOWS\system32\cstmvf.dll
C:\WINDOWS\system32\dahonbec.ini
C:\WINDOWS\system32\dapkbssn.ini
C:\WINDOWS\system32\ddhgkscj.dll
C:\WINDOWS\system32\dlshtkjx.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\dwolreti.dll
C:\WINDOWS\system32\epdgumue.dll
C:\WINDOWS\system32\eqoutadr.dll
C:\WINDOWS\system32\esnlmckw.dll
C:\WINDOWS\system32\ewkxrjeg.dll
C:\WINDOWS\system32\fhtlcjpk.dll
C:\WINDOWS\system32\fuqxplvj.dll
C:\WINDOWS\system32\fykgwnxi.ini
C:\WINDOWS\system32\ggejovpc.ini
C:\WINDOWS\system32\gpjcguop.ini
C:\WINDOWS\system32\gsyhlh.dll
C:\WINDOWS\system32\hbjyiibk.ini
C:\WINDOWS\system32\hdixovag.ini
C:\WINDOWS\system32\hnuajwdf.ini
C:\WINDOWS\system32\hoimvxux.ini
C:\WINDOWS\system32\idoamxvx.ini
C:\WINDOWS\system32\iefhujla.ini
C:\WINDOWS\system32\iiffEtqq.dll
C:\WINDOWS\system32\iqdphxfu.ini
C:\WINDOWS\system32\irlykcnn.ini
C:\WINDOWS\system32\iruiejmo.ini
C:\WINDOWS\system32\ivpytnem.ini
C:\WINDOWS\system32\jesgpoiv.dll
C:\WINDOWS\system32\jewrosgu.ini
C:\WINDOWS\system32\judgfz.dll
C:\WINDOWS\system32\jwswdnux.ini
C:\WINDOWS\system32\kufokwnh.ini
C:\WINDOWS\system32\kwcrdytl.ini
C:\WINDOWS\system32\laapypqn.ini
C:\WINDOWS\system32\lfdxdqxi.ini
C:\WINDOWS\system32\likxfz.dll
C:\WINDOWS\system32\lofsbrca.dll
C:\WINDOWS\system32\lrhwkgmq.dll
C:\WINDOWS\system32\ltbewsst.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mnsikcut.ini
C:\WINDOWS\system32\monkwfmu.dll
C:\WINDOWS\system32\mtriwfqf.dll
C:\WINDOWS\system32\MUBbcIOq.ini
C:\WINDOWS\system32\MUBbcIOq.ini2
C:\WINDOWS\system32\npkdxy.dll
C:\WINDOWS\system32\obrehpxu.ini
C:\WINDOWS\system32\ocfcvdpo.ini
C:\WINDOWS\system32\oeesiwsp.ini
C:\WINDOWS\system32\ohsqlfcp.ini
C:\WINDOWS\system32\opnmjGyv.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\peqxcwnj.ini
C:\WINDOWS\system32\pizbzu.dll
C:\WINDOWS\system32\plvocpwc.ini
C:\WINDOWS\system32\pulricjq.ini
C:\WINDOWS\system32\qehbwfhl.ini
C:\WINDOWS\system32\qOIcbBUM.dll
C:\WINDOWS\system32\qoMghFuS.dll
C:\WINDOWS\system32\rnckyfjs.dll
C:\WINDOWS\system32\sblocuvn.ini
C:\WINDOWS\system32\seoihkgj.ini
C:\WINDOWS\system32\sgsribba.ini
C:\WINDOWS\system32\shqqafjc.ini
C:\WINDOWS\system32\sswcfwby.ini
C:\WINDOWS\system32\svliculw.ini
C:\WINDOWS\system32\tdcgvwsp.ini
C:\WINDOWS\system32\tglmpaae.dll
C:\WINDOWS\system32\tlgmwcci.ini
C:\WINDOWS\system32\tlhtpojg.dll
C:\WINDOWS\system32\tomauhfc.ini
C:\WINDOWS\system32\udxieets.dll
C:\WINDOWS\system32\uhbqpmjq.ini
C:\WINDOWS\system32\vbpgssye.ini
C:\WINDOWS\system32\vhjdvrsq.dll
C:\WINDOWS\system32\voaesjsg.ini
C:\WINDOWS\system32\vqgxurmv.dll
C:\WINDOWS\system32\vvgdtdji.ini
C:\WINDOWS\system32\wfmeos.dll
C:\WINDOWS\system32\wncphnvt.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\wvyltmaa.ini
C:\WINDOWS\system32\xdtefffw.dll
C:\WINDOWS\system32\xhtvlrxq.ini
C:\WINDOWS\system32\xrmdfmsm.ini
C:\WINDOWS\system32\xskndali.ini
C:\WINDOWS\system32\xtllrxuc.ini
C:\WINDOWS\system32\yayxvVLC.dll
C:\WINDOWS\system32\yriopf.dll
C:\WINDOWS\system32\ytipqaxe.ini
C:\WINDOWS\system32\yuyquapf.dll
C:\WINDOWS\system32\zielea.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2008-07-29 17:56 . 2008-07-29 17:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-29 17:51 . 2008-07-29 17:51 <DIR> d----c--- C:\Deckard
2008-07-29 10:38 . 2008-07-29 10:38 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-25 01:01 . 2008-07-25 14:57 766 --ahs---- C:\WINDOWS\system32\yjmueuyy.ini
2008-07-13 20:42 . 2008-07-31 00:15 135,992 --a------ C:\WINDOWS\system32\pghash.dat
2008-07-13 20:42 . 2008-07-26 22:42 127,908 --a------ C:\WINDOWS\system32\pguard.dat
2008-07-04 17:14 . 2008-07-04 17:15 112,347,130 --a--c--- C:\SYM_REGISTRY_BACKUP.reg
2008-07-01 02:04 . 2008-07-13 20:42 <DIR> d-------- C:\Program Files\ProcessGuard
2008-07-01 02:04 . 2004-10-13 17:06 106,496 --a------ C:\WINDOWS\system32\procguard.dll
2008-07-01 02:04 . 2005-01-20 14:13 24,911 --a------ C:\WINDOWS\system32\drivers\procguard.sys
2008-07-01 01:51 . 2008-07-01 01:53 <DIR> d-------- C:\Program Files\mm.BOT
2008-06-29 13:09 . 2008-06-30 09:38 49,186 --ahs---- C:\WINDOWS\system32\puduhcsk.ini
2008-06-29 12:14 . 2008-06-29 12:15 48,765 --ahs---- C:\WINDOWS\system32\tdkqlaai.ini
2008-06-28 12:12 . 2008-06-29 12:14 48,645 --ahs---- C:\WINDOWS\system32\jdoabsur.ini
2008-06-27 12:12 . 2008-06-28 12:10 48,465 --ahs---- C:\WINDOWS\system32\kmquhjtk.ini
2008-06-26 12:06 . 2008-06-27 12:09 81,636 --ahs---- C:\WINDOWS\system32\ojhymfnq.ini
2008-06-17 19:59 . 2008-07-08 15:40 <DIR> d-------- C:\Program Files\Mozilla Firefox 3
2008-06-11 01:26 . 2008-06-11 01:26 <DIR> d-------- C:\Program Files\Windows Mobile Device Handbook

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-31 05:07 885,739 --sha-w C:\WINDOWS\system32\MUBbcIOq.ini2
2008-07-29 22:13 --------- d-----w C:\Program Files\mIRC
2008-07-29 00:55 --------- d-----w C:\Documents and Settings\Mark P\Application Data\Azureus
2008-07-28 23:54 --------- d-----w C:\Program Files\Diablo II
2008-07-08 21:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-08 21:03 --------- d-----w C:\Documents and Settings\Mark P\Application Data\AdobeUM
2008-06-23 11:25 --------- d-----w C:\Program Files\Azureus
2008-06-17 18:26 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-11 12:11 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-02 05:21 --------- d-----w C:\Program Files\Common Files\Scanner
2008-05-31 22:34 --------- d-----w C:\Documents and Settings\Mark P\Application Data\U3
2008-05-31 04:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-31 04:51 --------- d-----w C:\Program Files\Lavasoft
2008-05-31 04:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-31 04:41 --------- d-----w C:\Program Files\Dream Aquarium
2008-05-31 04:29 --------- d-----w C:\Program Files\Webteh
2006-10-11 02:43 44 -c--a-w C:\Program Files\report server ip.txt
2006-09-04 04:50 57,344 -c--a-w C:\Program Files\DiabloClone Firewall.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
"Screen-Cut"="C:\Program Files\Screen-Cut\Screen-Cut.exe" [2007-08-04 15:23 327680]
"SB Audigy 2 Startup Menu"="C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE" [2002-11-13 01:00 45056]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 16:35 139264]
"HDDHealth"="C:\Program Files\HDD Health\hddhealth.exe" [2003-06-17 13:37 682496]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03 152872]
"!1_ProcessGuard_Startup"="C:\Program Files\ProcessGuard\procguard.exe" [2005-01-20 14:24 280064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06 45056]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-10-28 10:35 72736]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-04-09 16:08 143360]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 13:06 62760]
"HydraVisionDesktopManager"="C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-15 21:00 270336]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00 45056]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2007-11-16 20:20 91432]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-03 12:00 335872]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2008-01-23 23:22 2476408]
"!1_pgaccount"="C:\Program Files\ProcessGuard\pgaccount.exe" [2005-01-20 14:14 184320]
"MsmqIntCert"="mqrt.dll" [2007-07-06 07:46 177152 C:\WINDOWS\system32\mqrt.dll]
"CTHelper"="CTHELPER.EXE" [2007-04-09 12:32 19456 C:\WINDOWS\system32\CtHelper.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Enable Wireless Keyboard Driver.lnk - C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe [2006-03-01 02:30:13 180224]
Enable Wireless Mouse Driver.lnk - C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe [2006-03-01 02:30:14 229376]
Ringo Launcher.lnk - C:\Program Files\Ringo\Hub.exe [2007-03-15 15:42:42 753664]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-03-03 11:11:33 122880]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe [2006-10-10 23:39:04 5627904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ewkxrjeg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.XVID"= xvid.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.VSPX"= vspxvfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\WinMX\\WinMX.exe"=
"C:\\Program Files\\Kazaa Lite Resurrection\\kazaalite.kpp"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\EA GAMES\\MOHAA\\moh_Breakthrough.exe"=
"C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007\\sandra.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007\\RpcSandraSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\LimeWire 4.12.4\\LimeWire.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Diablo II\\D2Loader-1.11b.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\RedlightCenter\\RedLightCenter\\Redlightcenter.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Discovery Service
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2002-10-15 15:48]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-03 01:12]
R2 DCSPGSRV;DiamondCS Process Guard Service v3.000;C:\Program Files\ProcessGuard\dcsuserprot.exe [2005-01-20 14:25]
R2 PfDetNT;PfDetNT;C:\WINDOWS\system32\drivers\PfModNT.sys [2007-04-10 04:32]
R2 procguard;procguard;C:\WINDOWS\system32\drivers\procguard.sys [2005-01-20 14:13]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
S3 PNDIS5;PNDIS5 NDIS Protocol Driver;D:\PNDIS5.SYS []
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
S3 W8100PCI;D-Link AirPlus G Wireless Driver;C:\WINDOWS\system32\DRIVERS\MRV8K51.sys [2004-04-02 15:31]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);C:\WINDOWS\system32\Drivers\xbreader.sys [2001-01-02 23:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3d247d4-2f60-11dd-bd4b-0040ca83bdf7}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

*Newly Created Service* - AD-WATCH_REAL-TIME_SCANNER
.
Contents of the 'Scheduled Tasks' folder

2008-07-26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{02082AC9-92A2-4F05-ADC2-9DE76695BBE5} - C:\WINDOWS\system32\eoruegeo.dll
BHO-{1F632004-FEA2-47F2-B8FD-81EE039D0C9A} - C:\Documents and Settings\Mark P\Local Settings\Temporary Internet Files\Content.IE5\PI789HLP\3077ahntdksr[2].dll
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-BMe38d81fd - C:\WINDOWS\system32\ddhgkscj.dll
HKLM-Run-e0beb261 - C:\WINDOWS\system32\abbirsgs.dll
HKLM-Run-WMC_AutoUpdate - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
O8 -: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 -: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 -: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 -: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 -: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 -: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 -: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 -: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 -: {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mark P\Start Menu\Programs\IMVU\Run IMVU.lnk


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 00:15:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Ad-Watch Real-Time Scanner]
"ImagePath"="\??\C:\WINDOWS\system32\drivers\AWRTPD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Wireless Device\Wireless Keyboard\OSD.exe
.
**************************************************************************
.
Completion time: 2008-07-31 0:25:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-31 05:25:28

Pre-Run: 1,159,081,984 bytes free
Post-Run: 1,039,536,128 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

359 --- E O F --- 2008-05-20 05:56:22


As requested, here is the log from HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:39 AM, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\HDD Health\hddhealth.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
C:\Program Files\Ringo\Hub.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Screen-Cut] "C:\Program Files\Screen-Cut\Screen-Cut.exe" -quiet
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [HDDHealth] C:\Program Files\HDD Health\hddhealth.exe -wl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: Framework.exe.lnk = C:\Program Files\Windows Media Player\Framework.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: Ringo Launcher.lnk = C:\Program Files\Ringo\Hub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mark P\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1141327670687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144870238968
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - AppInit_DLLs: ewkxrjeg.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe

--
End of file - 13157 bytes


There you go, both of those logs. Let me know if the second log was what you wanted, if not I'll do that full DSS scan again. Thanks a bunch :thumbsup: !

Edited by Mark P., 31 July 2008 - 10:17 PM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:24 AM

Posted 01 August 2008 - 12:54 AM

Hi,

Let's deal with the leftovers now... But first of all, disable your Adwatch and leave it disabled during our fixes, because adwatch interferes with the registry changes/fixes Combofix makes and puts everything back afterwards.

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\yjmueuyy.ini
C:\WINDOWS\system32\puduhcsk.ini
C:\WINDOWS\system32\tdkqlaai.ini
C:\WINDOWS\system32\jdoabsur.ini
C:\WINDOWS\system32\kmquhjtk.ini
C:\WINDOWS\system32\ojhymfnq.ini
C:\WINDOWS\system32\MUBbcIOq.ini2
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

From the PM you sent me:

My PC is working a lot better than it has been, and my windows updates are working once more smile.gif ! I think that there won't be a whole lot left to repair whatever else may still be affected with my PC, thank you so much already

So I can assume that Windows update are OK again now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Mark P.

Mark P.
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 01 August 2008 - 05:28 AM

As requested, I finished running the CFScript and the resulting CF and HJ logs are posted below. Most everything on my PC seems to be operating normally enough. Now, as far as the Windows Updates go? Well, I have some mixed reviews there. I had about 10 different updates successfully install at the time that I had send you that PM, however later on 1 MAJOR update failed to properly install….XP Service pack 3 of all things. Somewhere in the middle of the installation of it, I kept getting an error saying something to the effect of: “Service Pack 3 – Access denied”, and the update would try to roll back to an earlier state and uninstall. I’ve now tried installing SP3 3 different times, each time with the exact same error occurring at the same stage of the installation each time. Other than this problem with getting service pack 3 installed, everything else seems to be fine and operating normally :thumbsup: .


Here is the ComboFix log:

ComboFix 08-07-29.1 - Mark P 2008-08-01 2:49:18.2 - NTFSx86
Running from: C:\Documents and Settings\Mark P\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark P\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\jdoabsur.ini
C:\WINDOWS\system32\kmquhjtk.ini
C:\WINDOWS\system32\MUBbcIOq.ini2
C:\WINDOWS\system32\ojhymfnq.ini
C:\WINDOWS\system32\puduhcsk.ini
C:\WINDOWS\system32\tdkqlaai.ini
C:\WINDOWS\system32\yjmueuyy.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_005309_.tmp.dll
C:\WINDOWS\system32\_005310_.tmp.dll
C:\WINDOWS\system32\_005311_.tmp.dll
C:\WINDOWS\system32\_005312_.tmp.dll
C:\WINDOWS\system32\_005319_.tmp.dll
C:\WINDOWS\system32\_005320_.tmp.dll
C:\WINDOWS\system32\_005321_.tmp.dll
C:\WINDOWS\system32\_005323_.tmp.dll
C:\WINDOWS\system32\_005324_.tmp.dll
C:\WINDOWS\system32\_005327_.tmp.dll
C:\WINDOWS\system32\_005328_.tmp.dll
C:\WINDOWS\system32\_005330_.tmp.dll
C:\WINDOWS\system32\_005331_.tmp.dll
C:\WINDOWS\system32\_005332_.tmp.dll
C:\WINDOWS\system32\_005334_.tmp.dll
C:\WINDOWS\system32\_005337_.tmp.dll
C:\WINDOWS\system32\_005338_.tmp.dll
C:\WINDOWS\system32\_005342_.tmp.dll
C:\WINDOWS\system32\_005343_.tmp.dll
C:\WINDOWS\system32\_005345_.tmp.dll
C:\WINDOWS\system32\_005348_.tmp.dll
C:\WINDOWS\system32\_005351_.tmp.dll
C:\WINDOWS\system32\_005352_.tmp.dll
C:\WINDOWS\system32\_005353_.tmp.dll
C:\WINDOWS\system32\_005354_.tmp.dll
C:\WINDOWS\system32\_005357_.tmp.dll
C:\WINDOWS\system32\_005358_.tmp.dll
C:\WINDOWS\system32\_005359_.tmp.dll
C:\WINDOWS\system32\_005360_.tmp.dll
C:\WINDOWS\system32\_005361_.tmp.dll
C:\WINDOWS\system32\_005366_.tmp.dll
C:\WINDOWS\system32\_005368_.tmp.dll
C:\WINDOWS\system32\_007661_.tmp.dll
C:\WINDOWS\system32\_007662_.tmp.dll
C:\WINDOWS\system32\_007663_.tmp.dll
C:\WINDOWS\system32\_007664_.tmp.dll
C:\WINDOWS\system32\_007671_.tmp.dll
C:\WINDOWS\system32\_007672_.tmp.dll
C:\WINDOWS\system32\_007673_.tmp.dll
C:\WINDOWS\system32\_007674_.tmp.dll
C:\WINDOWS\system32\_007676_.tmp.dll
C:\WINDOWS\system32\_007677_.tmp.dll
C:\WINDOWS\system32\_007680_.tmp.dll
C:\WINDOWS\system32\_007681_.tmp.dll
C:\WINDOWS\system32\_007683_.tmp.dll
C:\WINDOWS\system32\_007684_.tmp.dll
C:\WINDOWS\system32\_007685_.tmp.dll
C:\WINDOWS\system32\_007687_.tmp.dll
C:\WINDOWS\system32\_007690_.tmp.dll
C:\WINDOWS\system32\_007691_.tmp.dll
C:\WINDOWS\system32\_007695_.tmp.dll
C:\WINDOWS\system32\_007696_.tmp.dll
C:\WINDOWS\system32\_007698_.tmp.dll
C:\WINDOWS\system32\_007701_.tmp.dll
C:\WINDOWS\system32\_007704_.tmp.dll
C:\WINDOWS\system32\_007705_.tmp.dll
C:\WINDOWS\system32\_007706_.tmp.dll
C:\WINDOWS\system32\_007707_.tmp.dll
C:\WINDOWS\system32\_007708_.tmp.dll
C:\WINDOWS\system32\_007711_.tmp.dll
C:\WINDOWS\system32\_007712_.tmp.dll
C:\WINDOWS\system32\_007713_.tmp.dll
C:\WINDOWS\system32\_007714_.tmp.dll
C:\WINDOWS\system32\_007715_.tmp.dll
C:\WINDOWS\system32\_007720_.tmp.dll
C:\WINDOWS\system32\_007722_.tmp.dll
C:\WINDOWS\system32\jdoabsur.ini
C:\WINDOWS\system32\kmquhjtk.ini
C:\WINDOWS\system32\ojhymfnq.ini
C:\WINDOWS\system32\puduhcsk.ini
C:\WINDOWS\system32\tdkqlaai.ini
C:\WINDOWS\system32\yjmueuyy.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 )))))))))))))))))))))))))))))))
.

2008-07-31 17:25 . 2004-08-04 02:56 3,555,328 --a------ C:\WINDOWS\system32\dllcache\moviemk.exe
2008-07-31 16:42 . 2008-07-31 17:42 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-31 16:42 . 2008-07-31 17:47 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-31 16:42 . 2008-07-31 17:42 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-31 16:25 . 2004-08-04 01:00 71,040 --------- C:\WINDOWS\system32\drivers\_005285_.tmp.dll
2008-07-31 13:52 . 2008-04-13 19:12 8,461,312 --a------ C:\WINDOWS\system32\SET22F.tmp
2008-07-31 13:51 . 2008-04-13 19:11 1,267,200 --a------ C:\WINDOWS\system32\SET4DD.tmp
2008-07-31 13:21 . 2008-07-31 17:43 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-29 17:56 . 2008-07-29 17:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-29 17:51 . 2008-07-29 17:51 <DIR> d----c--- C:\Deckard
2008-07-29 10:38 . 2008-07-29 10:38 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-13 20:42 . 2008-08-01 02:46 157,384 --a------ C:\WINDOWS\system32\pghash.dat
2008-07-13 20:42 . 2008-08-01 02:46 131,736 --a------ C:\WINDOWS\system32\pguard.dat
2008-07-04 17:14 . 2008-07-04 17:15 112,347,130 --a--c--- C:\SYM_REGISTRY_BACKUP.reg
2008-07-01 02:04 . 2008-07-13 20:42 <DIR> d-------- C:\Program Files\ProcessGuard
2008-07-01 02:04 . 2004-10-13 17:06 106,496 --a------ C:\WINDOWS\system32\procguard.dll
2008-07-01 02:04 . 2005-01-20 14:13 24,911 --a------ C:\WINDOWS\system32\drivers\procguard.sys
2008-07-01 01:51 . 2008-07-01 01:53 <DIR> d-------- C:\Program Files\mm.BOT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-01 07:57 --------- d-----w C:\Program Files\mIRC
2008-08-01 07:49 --------- d-----w C:\Documents and Settings\Mark P\Application Data\Azureus
2008-07-28 23:54 --------- d-----w C:\Program Files\Diablo II
2008-07-08 21:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-08 21:03 --------- d-----w C:\Documents and Settings\Mark P\Application Data\AdobeUM
2008-07-08 20:40 --------- d-----w C:\Program Files\Mozilla Firefox 3
2008-06-23 11:25 --------- d-----w C:\Program Files\Azureus
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-17 18:26 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 12:11 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-11 06:26 --------- d-----w C:\Program Files\Windows Mobile Device Handbook
2008-06-02 05:21 --------- d-----w C:\Program Files\Common Files\Scanner
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2006-10-11 02:43 44 -c--a-w C:\Program Files\report server ip.txt
2006-09-04 04:50 57,344 -c--a-w C:\Program Files\DiabloClone Firewall.exe
.

((((((((((((((((((((((((((((( snapshot@2008-07-31_ 0.24.14.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-13 13:10:50 272,128 ----a-w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-03-01 13:06:20 124,928 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll
+ 2008-03-01 13:06:21 347,136 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll
+ 2008-03-01 13:06:21 214,528 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll
+ 2008-03-01 13:06:21 133,120 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll
+ 2008-03-01 13:06:21 63,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\icardie.dll
+ 2008-02-29 08:55:23 70,656 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe
+ 2008-03-01 13:06:21 153,088 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll
+ 2008-03-01 13:06:21 230,400 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll
+ 2008-02-15 05:44:25 161,792 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll
+ 2008-03-01 13:06:22 383,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dll
+ 2008-03-01 13:06:22 384,512 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll
+ 2008-03-01 13:06:24 6,066,176 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieframe.dll
+ 2008-03-01 13:06:24 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll
+ 2008-03-01 13:06:25 267,776 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iertutil.dll
+ 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe
+ 2008-02-29 08:55:46 625,664 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
+ 2008-03-01 13:06:25 27,648 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll
+ 2008-03-01 13:06:26 459,264 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeeds.dll
+ 2008-03-01 13:06:26 52,224 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeedsbs.dll
+ 2008-03-01 23:36:30 3,591,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll
+ 2008-03-01 13:06:28 478,208 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll
+ 2008-03-01 13:06:28 193,024 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll
+ 2008-03-01 13:06:29 671,232 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll
+ 2008-03-01 13:06:29 102,912 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll
+ 2008-03-01 13:06:29 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\updspapi.dll
+ 2008-03-01 13:06:29 105,984 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll
+ 2008-03-01 13:06:30 1,159,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll
+ 2008-03-01 13:06:30 233,472 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll
+ 2008-03-01 13:06:31 826,368 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
- 2008-05-16 04:57:13 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-07-31 20:08:09 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-05-16 04:57:14 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-07-31 20:08:10 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-05-16 04:57:14 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-07-31 20:08:10 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-05-16 04:57:13 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-07-31 20:08:08 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-05-16 04:57:14 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-07-31 20:08:10 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-05-16 04:57:14 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-07-31 20:08:10 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-05-16 04:57:14 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-07-31 20:08:11 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-05-16 04:57:14 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-07-31 20:08:11 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-05-16 04:57:13 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-07-31 20:08:09 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-05-16 04:57:13 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-07-31 20:08:08 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-05-16 04:57:14 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-07-31 20:08:12 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-05-16 04:57:13 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-07-31 20:08:08 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-05-16 04:57:13 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-07-31 20:08:08 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2004-08-04 06:10:06 53,248 -c----w C:\WINDOWS\ServicePackFiles\i386\1394bus.sys
+ 2004-08-04 05:10:06 53,248 ----a-w C:\WINDOWS\ServicePackFiles\i386\1394bus.sys
- 2004-08-04 07:56:41 201,728 -c----w C:\WINDOWS\ServicePackFiles\i386\ati2dvag.dll
+ 2004-08-04 06:56:42 201,728 ----a-w C:\WINDOWS\ServicePackFiles\i386\ati2dvag.dll
- 2004-08-04 07:56:41 870,784 -c----w C:\WINDOWS\ServicePackFiles\i386\ati3d1ag.dll
+ 2004-08-04 06:56:42 870,784 ----a-w C:\WINDOWS\ServicePackFiles\i386\ati3d1ag.dll
- 2004-08-04 07:56:41 1,888,992 -c----w C:\WINDOWS\ServicePackFiles\i386\ati3duag.dll
+ 2004-08-04 06:56:42 1,888,992 ----a-w C:\WINDOWS\ServicePackFiles\i386\ati3duag.dll
- 2004-08-04 07:56:41 516,768 -c----w C:\WINDOWS\ServicePackFiles\i386\ativvaxx.dll
+ 2004-08-04 06:56:42 516,768 ----a-w C:\WINDOWS\ServicePackFiles\i386\ativvaxx.dll
- 2004-08-04 06:07:58 60,288 -c----w C:\WINDOWS\ServicePackFiles\i386\drmk.sys
+ 2004-08-04 05:07:58 60,288 ----a-w C:\WINDOWS\ServicePackFiles\i386\drmk.sys
- 2004-08-04 06:08:21 10,624 -c----w C:\WINDOWS\ServicePackFiles\i386\gameenum.sys
+ 2004-08-04 05:08:22 10,624 ----a-w C:\WINDOWS\ServicePackFiles\i386\gameenum.sys
- 2004-08-04 06:08:19 36,224 -c----w C:\WINDOWS\ServicePackFiles\i386\hidclass.sys
+ 2004-08-04 05:08:20 36,224 ----a-w C:\WINDOWS\ServicePackFiles\i386\hidclass.sys
- 2004-08-04 06:08:16 24,960 -c----w C:\WINDOWS\ServicePackFiles\i386\hidparse.sys
+ 2004-08-04 05:08:16 24,960 ----a-w C:\WINDOWS\ServicePackFiles\i386\hidparse.sys
- 2004-08-04 06:15:21 140,928 -c----w C:\WINDOWS\ServicePackFiles\i386\ks.sys
+ 2004-08-04 05:15:22 140,928 ----a-w C:\WINDOWS\ServicePackFiles\i386\ks.sys
- 2004-08-04 07:56:57 294,912 -c----w C:\WINDOWS\ServicePackFiles\i386\msh263.drv
+ 2004-08-04 07:56:58 294,912 ----a-w C:\WINDOWS\ServicePackFiles\i386\msh263.drv
- 2004-08-04 06:10:08 61,056 -c----w C:\WINDOWS\ServicePackFiles\i386\ohci1394.sys
+ 2004-08-04 05:10:08 61,056 ----a-w C:\WINDOWS\ServicePackFiles\i386\ohci1394.sys
- 2004-08-04 06:15:49 145,792 -c----w C:\WINDOWS\ServicePackFiles\i386\portcls.sys
+ 2004-08-04 05:15:50 145,792 ----a-w C:\WINDOWS\ServicePackFiles\i386\portcls.sys
- 2004-08-04 07:56:44 151,552 -c----w C:\WINDOWS\ServicePackFiles\i386\scrrun.dll
+ 2004-08-04 08:56:46 151,552 ----a-w C:\WINDOWS\ServicePackFiles\i386\scrrun.dll
- 2004-08-04 06:08:02 48,640 -c----w C:\WINDOWS\ServicePackFiles\i386\stream.sys
+ 2004-08-04 05:08:02 48,640 ----a-w C:\WINDOWS\ServicePackFiles\i386\stream.sys
- 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2008-03-01 13:06:20 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-04-23 04:16:28 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
- 2008-03-01 13:06:21 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-03-01 13:06:21 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-03-01 13:06:21 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-04-23 04:16:28 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-03-01 13:06:21 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-04-23 04:16:28 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2008-02-29 08:55:23 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2008-03-01 13:06:21 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2008-03-01 13:06:21 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2008-02-15 05:44:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-04-20 05:07:51 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2008-03-01 13:06:22 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2008-03-01 13:06:24 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-04-23 04:16:28 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2008-03-01 13:06:25 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-04-23 04:16:28 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2008-02-29 08:55:46 625,664 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-04-22 07:40:18 625,664 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2008-03-01 13:06:25 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2004-08-04 07:56:42 294,400 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll
+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\dllcache\msctf.dll
- 2008-03-01 13:06:26 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2008-03-01 13:06:26 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2008-03-01 23:36:30 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-04-24 03:16:30 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-03-01 13:06:28 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2004-08-04 07:56:53 60,416 ----a-w C:\WINDOWS\system32\dllcache\msimn.exe
- 2008-03-01 13:06:28 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-04-23 04:16:28 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-03-01 13:06:29 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-04-23 04:16:28 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-03-01 13:06:29 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-04-23 04:16:28 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-03-01 13:06:29 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2008-03-01 13:06:29 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-04-23 04:16:28 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
- 2008-03-01 13:06:30 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-03-01 13:06:30 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-04-23 04:16:29 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2008-03-01 13:06:31 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-04-23 04:16:29 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2004-08-04 07:56:46 221,184 ----a-w C:\WINDOWS\system32\dllcache\wmpns.dll
- 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2004-08-04 06:00:54 71,040 ------w C:\WINDOWS\system32\drivers\_005285_.tmp.dll
+ 2004-08-04 06:00:54 71,040 ------w C:\WINDOWS\system32\drivers\_007637_.tmp.dll
- 2006-07-13 08:48:58 202,240 -c--a-w C:\WINDOWS\system32\drivers\rmcast.sys
+ 2008-05-08 12:28:49 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
- 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-03-01 13:06:21 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-04-23 04:16:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2008-02-29 08:55:23 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2008-03-01 13:06:21 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2008-03-01 13:06:21 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-04-20 05:07:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2008-03-01 13:06:24 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2008-03-01 13:06:25 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2008-07-31 05:12:12 224,327 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-08-01 08:00:03 224,337 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2007-10-11 20:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 23:06:36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
- 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-06-25 14:15:48 17,972,344 -c--a-w C:\WINDOWS\system32\MRT.exe
- 2004-08-04 07:56:42 294,400 ----a-w C:\WINDOWS\system32\msctf.dll
+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
- 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2008-03-01 23:36:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-24 03:16:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-03-01 13:06:29 102,912 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-04-23 04:16:28 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2004-08-04 07:56:41 229,376 ----a-w C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\ati2cqag.dll
+ 2004-08-04 06:56:42 201,728 ----a-w C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\ati2dvag.dll
+ 2004-08-04 04:29:26 701,440 ----a-w C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\ati2mtag.sys
+ 2004-08-04 06:56:42 870,784 ----a-w C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\ati3d1ag.dll
+ 2004-08-04 06:56:42 1,888,992 ----a-w C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\ati3duag.dll
+ 2004-08-04 06:56:42 516,768 ----a-w C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\ativvaxx.dll
+ 2004-08-04 05:59:19 36,096 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\i386\intelppm.sys
+ 2003-03-31 12:00:00 35,840 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\isapnp.sys
+ 2004-08-04 07:56:41 229,376 ----a-w C:\WINDOWS\system32\ReinstallBackups\0018\DriverFiles\i386\ati2cqag.dll
+ 2004-08-04 06:56:42 201,728 ----a-w C:\WINDOWS\system32\ReinstallBackups\0018\DriverFiles\i386\ati2dvag.dll
+ 2004-08-04 04:29:26 701,440 ----a-w C:\WINDOWS\system32\ReinstallBackups\0018\DriverFiles\i386\ati2mtag.sys
+ 2004-08-04 06:56:42 870,784 ----a-w C:\WINDOWS\system32\ReinstallBackups\0018\DriverFiles\i386\ati3d1ag.dll
+ 2004-08-04 06:56:42 1,888,992 ----a-w C:\WINDOWS\system32\ReinstallBackups\0018\DriverFiles\i386\ati3duag.dll
+ 2004-08-04 06:56:42 516,768 ----a-w C:\WINDOWS\system32\ReinstallBackups\0018\DriverFiles\i386\ativvaxx.dll
- 2004-08-04 07:56:56 8,192 -c--a-w C:\WINDOWS\system32\spdwnwxp.exe
+ 2008-04-14 00:12:36 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
- 2006-10-16 21:10:58 14,640 -c--a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-08-11 01:46:18 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2006-10-16 21:10:58 23,856 -c--a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2007-08-11 01:46:18 26,488 ----a-w C:\WINDOWS\system32\spupdsvc.exe
- 2008-03-01 13:06:29 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-04-23 04:16:29 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-04-23 04:16:29 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-08-01 08:00:20 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_624.dat
- 2007-01-19 20:15:24 74,802 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\atl.dll
+ 2008-04-14 00:12:50 74,802 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\atl.dll
- 2007-01-19 20:15:24 995,383 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\mfc42.dll
+ 2008-04-14 00:12:50 995,383 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\mfc42.dll
- 2007-01-19 20:15:24 1,011,774 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\mfc42u.dll
+ 2008-04-14 00:12:50 1,011,774 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\mfc42u.dll
- 2007-01-19 20:15:24 401,462 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\msvcp60.dll
+ 2008-04-14 00:12:50 401,462 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\msvcp60.dll
+ 2008-04-14 00:12:51 1,054,208 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
- 2004-08-04 07:56:59 853,504 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll
+ 2008-04-14 00:12:49 853,504 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll
- 2004-08-04 07:56:59 991,232 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll
+ 2008-04-14 00:12:50 991,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll
- 2004-08-04 07:55:56 132,096 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\rtcres.dll
+ 2008-04-13 18:26:33 132,096 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\rtcres.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-11-30 22:49 4662776]
"Screen-Cut"="C:\Program Files\Screen-Cut\Screen-Cut.exe" [2007-08-04 15:23 327680]
"SB Audigy 2 Startup Menu"="C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE" [2002-11-13 01:00 45056]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 16:35 139264]
"HDDHealth"="C:\Program Files\HDD Health\hddhealth.exe" [2003-06-17 13:37 682496]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03 152872]
"!1_ProcessGuard_Startup"="C:\Program Files\ProcessGuard\procguard.exe" [2005-01-20 14:24 280064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06 45056]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-10-28 10:35 72736]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-04-09 16:08 143360]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 13:06 62760]
"HydraVisionDesktopManager"="C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-15 21:00 270336]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00 45056]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2007-11-16 20:20 91432]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-03 12:00 335872]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2008-01-23 23:22 2476408]
"!1_pgaccount"="C:\Program Files\ProcessGuard\pgaccount.exe" [2005-01-20 14:14 184320]
"MsmqIntCert"="mqrt.dll" [2007-07-06 07:46 177152 C:\WINDOWS\system32\mqrt.dll]
"CTHelper"="CTHELPER.EXE" [2007-04-09 12:32 19456 C:\WINDOWS\system32\CtHelper.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Enable Wireless Keyboard Driver.lnk - C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe [2006-03-01 02:30:13 180224]
Enable Wireless Mouse Driver.lnk - C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe [2006-03-01 02:30:14 229376]
Ringo Launcher.lnk - C:\Program Files\Ringo\Hub.exe [2007-03-15 15:42:42 753664]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-03-03 11:11:33 122880]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe [2006-10-10 23:39:04 5627904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.XVID"= xvid.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.VSPX"= vspxvfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\WinMX\\WinMX.exe"=
"C:\\Program Files\\Kazaa Lite Resurrection\\kazaalite.kpp"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\EA GAMES\\MOHAA\\moh_Breakthrough.exe"=
"C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007\\sandra.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007\\RpcSandraSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\LimeWire 4.12.4\\LimeWire.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Diablo II\\D2Loader-1.11b.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\RedlightCenter\\RedLightCenter\\Redlightcenter.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Discovery Service
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2002-10-15 15:48]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-03 01:12]
R2 DCSPGSRV;DiamondCS Process Guard Service v3.000;C:\Program Files\ProcessGuard\dcsuserprot.exe [2005-01-20 14:25]
R2 PfDetNT;PfDetNT;C:\WINDOWS\system32\drivers\PfModNT.sys [2007-04-10 04:32]
R2 procguard;procguard;C:\WINDOWS\system32\drivers\procguard.sys [2005-01-20 14:13]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
S3 PNDIS5;PNDIS5 NDIS Protocol Driver;D:\PNDIS5.SYS []
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
S3 W8100PCI;D-Link AirPlus G Wireless Driver;C:\WINDOWS\system32\DRIVERS\MRV8K51.sys [2004-04-02 15:31]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);C:\WINDOWS\system32\Drivers\xbreader.sys [2001-01-02 23:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3d247d4-2f60-11dd-bd4b-0040ca83bdf7}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

*Newly Created Service* - AD-WATCH_REAL-TIME_SCANNER
.
Contents of the 'Scheduled Tasks' folder

2008-07-26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

Notify-dimsntfy - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 03:01:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Ad-Watch Real-Time Scanner]
"ImagePath"="\??\C:\WINDOWS\system32\drivers\AWRTPD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Wireless Device\Wireless Keyboard\OSD.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\update\update.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-01 3:30:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-01 08:29:58
ComboFix2.txt 2008-07-31 05:25:42

Pre-Run: 864,919,552 bytes free
Post-Run: 251,908,096 bytes free

568 --- E O F --- 2008-07-31 21:59:40


Here is the log from HijackThis:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:27 AM, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\HDD Health\hddhealth.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
C:\Program Files\Ringo\Hub.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\update\update.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Screen-Cut] "C:\Program Files\Screen-Cut\Screen-Cut.exe" -quiet
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [HDDHealth] C:\Program Files\HDD Health\hddhealth.exe -wl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: Framework.exe.lnk = C:\Program Files\Windows Media Player\Framework.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: Ringo Launcher.lnk = C:\Program Files\Ringo\Hub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mark P\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1141327670687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144870238968
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe

--
End of file - 13059 bytes


There you have both logs above. Thanks for reading :) .

Edited by Mark P., 01 August 2008 - 05:31 AM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:24 AM

Posted 01 August 2008 - 06:21 AM

Hi,

Navigate to and delete the following files:

C:\WINDOWS\system32\drivers\_005285_.tmp.dll
C:\WINDOWS\system32\SET22F.tmp
C:\WINDOWS\system32\SET4DD.tmp

Check and fix next entry in HIjackThis:

O2 - BHO: (no name) - rsion - (no file)

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

For Service pack 3 and the error you are getting, take a look here: http://support.microsoft.com/kb/949377
But I suggest you temporary uninstall Ad-Aware 2007, this because it has Adwatch enabled and I know Adwatch interferes with Windows updates. Even though you disable Adwatch, it will reload after reboot and block/deny the updates anyway.

Edited by miekiemoes, 01 August 2008 - 06:21 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Mark P.

Mark P.
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 02 August 2008 - 04:03 AM

I have deleted the 3 files, fixed the specific entry in HijackThis that you mentioned, and I followed your instructions on deleting ComboFix. Also, I went to the specific Windows article you had linked me to above, and after trying out each of the 3 steps to find the solution to my problem, step 3 turned out to be the one I needed, actually needing to edit the registry entries. I followed the instructions on doing so, and upon completion of that XP Service Pack 3 now seems to be properly installed. Thank you very much for your help :thumbsup: !!!

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:24 AM

Posted 02 August 2008 - 04:07 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:24 AM

Posted 05 August 2008 - 11:55 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users