Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Vundo Resident / Small-gen / Rel


  • This topic is locked This topic is locked
17 replies to this topic

#1 paitkenhead

paitkenhead

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 07 August 2008 - 09:57 PM

I've suddenly been having problems with pop-ups (usually occuring a shortwhile after I start Firefox / Explorer) and Security Centre keeps telling me that Automatic updates is turned off. If I go to Automatic Updates settings though it shows that it is turned on.

I've tried SuperAntispyware, vundofix, a-squared free, spybot seach and destroy to remove it with no success.

Please find below the contents of my Main.txt generated by DSS:

Deckard's System Scanner v20071014.68
Run by Aitkemp on 2008-08-08 12:46:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
24: 2008-08-08 02:46:26 UTC - RP436 - Deckard's System Scanner Restore Point
23: 2008-08-07 09:42:14 UTC - RP435 - Last known good configuration
22: 2008-08-07 09:42:14 UTC - RP434 - Installed SUPERAntiSpyware Free Edition
21: 2008-08-07 09:42:14 UTC - RP433 - System Checkpoint
20: 2008-08-07 09:42:14 UTC - RP432 - System Checkpoint


-- First Restore Point --
1: 2008-08-07 09:42:09 UTC - RP413 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Aitkemp.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:56 PM, on 8/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Kodak\Kodak Utilities\PTS\Kodak Picture Transfer Service.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\EVEMon\EVEMon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\Kodak Utilities\PTS\Kodak Picture Transfer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Aitkemp\Desktop\dss.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Aitkemp.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://61.9.222.148/Remote/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.smh.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {ef7baedb-94c1-0158-e844-27f118c734c6} - {6c437c81-1f72-448e-8510-1c49bdeab7fe} - C:\WINDOWS\system32\sxzvml.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {8853D1E5-5CA5-4524-9ACF-DC2AD2BED01C} - (no file)
O2 - BHO: (no name) - {CC6C9E58-B061-4223-A94D-A9304B062E7B} - (no file)
O2 - BHO: (no name) - {FD19E3B6-FD31-43A4-8F64-AC3586EE1D03} - C:\WINDOWS\system32\rqRHbxWp.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [EVEMon] "C:\Program Files\EVEMon\EVEMon.exe" -startMinimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak Picture Transfer.lnk = C:\Program Files\Kodak\Kodak Utilities\PTS\Kodak Picture Transfer.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.emdat.com
O15 - Trusted Zone: *.mytranscriptions.com
O15 - Trusted Zone: *.emdat.com (HKLM)
O15 - Trusted Zone: *.mytranscriptions.com (HKLM)
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://10.0.0.1/ConnectComputer/nshelp.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184234810437
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://10.0.0.1/Remote/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.3.2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{172DA0CD-1B0D-4FD2-85E8-87FDE485EC44}: Domain = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{172DA0CD-1B0D-4FD2-85E8-87FDE485EC44}: NameServer = 144.140.70.30,144.140.71.16
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak picture transfer agent (KODAK Picture Transfer Agent) - Eastman Kodak Company - C:\Program Files\Kodak\Kodak Utilities\PTS\Kodak Picture Transfer Service.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Cricket 2007 Drivers Auto Removal (pr2agnqb) (pr2agnqb) - Codemasters - C:\WINDOWS\system32\pr2agnqb.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 13837 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync03 (StarForce Protection Synchronization Driver (version 3.x)) - c:\windows\system32\drivers\sfsync03.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AdobeActiveFileMonitor (Adobe Active File Monitor) - c:\program files\adobe\photoshop elements 3.0\photoshopelementsfileagent.exe
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe <Not Verified; C-Dilla Ltd; SafeCast Windows NT>
R2 KODAK Picture Transfer Agent - "c:\program files\kodak\kodak utilities\pts\kodak picture transfer service.exe" <Not Verified; Eastman Kodak Company; Kodak Picture Transfer Agent>
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe
R2 PhotoshopElementsDeviceConnect (Photoshop Elements Device Connect) - c:\program files\adobe\photoshop elements 3.0\photoshopelementsdeviceconnect.exe
R2 Ventrilo - c:\program files\ventsrv\ventrilo_svc.exe

S3 AdobeVersionCue - c:\program files\adobe\adobe version cue\service\versioncue.exe <Not Verified; Adobe Sytems; Adobe Version Cue™>
S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>
S3 Ussolelo -


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\110889B123C04
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\110889B123C04
Service: NIC1394

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia 6120 classic
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6120 classic
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-08-06 06:13:50 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-08-03 10:57:01 440 --a------ C:\WINDOWS\Tasks\EasyShare Registration Task.job
2008-08-03 03:00:01 278 --a------ C:\WINDOWS\Tasks\EFILive V7.5 Updates.job


-- Files created between 2008-07-08 and 2008-08-08 -----------------------------

2008-08-08 12:48:42 0 d-------- C:\Program Files\Trend Micro
2008-08-07 19:41:48 0 d-------- C:\WINDOWS\CSC
2008-08-07 11:31:54 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-07 11:31:51 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-07 11:31:51 0 d-------- C:\Documents and Settings\Aitkemp\Application Data\SUPERAntiSpyware.com
2008-08-07 11:31:12 0 d-------- C:\Program Files\a-squared Free
2008-08-07 10:24:47 0 d-------- C:\VundoFix Backups
2008-08-06 06:13:46 0 d-------- C:\Program Files\Apple Software Update
2008-08-06 06:11:35 0 d-------- C:\Program Files\iPod
2008-08-06 06:11:32 0 d-------- C:\Program Files\iTunes
2008-08-01 06:00:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-01 05:51:11 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-31 20:08:43 0 d-------- C:\Program Files\Emdat
2008-07-29 22:02:21 120448 --a------ C:\WINDOWS\system32\mirzeb.dll
2008-07-29 22:02:18 120448 --a------ C:\WINDOWS\system32\rjfotgtl.dll
2008-07-25 21:59:22 156760 --ahs---- C:\WINDOWS\system32\pWxbHRqr.ini2
2008-07-25 21:59:15 323584 -----n--- C:\WINDOWS\system32\rqRHbxWp.dll
2008-07-24 13:19:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-07-24 13:18:04 0 d-------- C:\Program Files\Sierra Online
2008-07-22 20:31:41 0 d-------- C:\Program Files\EFILive
2008-07-22 20:30:48 0 d--h---c- C:\Documents and Settings\All Users\Application Data\{CA7FCF0C-8B0B-4C6D-9391-5D9C0D96FF0D}
2008-07-16 07:35:25 8864 --a------ C:\WINDOWS\system32\drivers\CDAC15BA.SYS
2008-07-16 07:35:25 0 d--h----- C:\C_DILLA
2008-07-15 22:06:19 0 d-------- C:\Program Files\Bonjour
2008-07-15 22:05:16 0 d-------- C:\Program Files\QuickTime
2008-07-15 16:30:27 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-07-15 16:30:11 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-07-15 16:29:28 0 d-------- C:\WINDOWS\Internet Logs
2008-07-15 14:03:59 0 d-------- C:\Documents and Settings\Aitkemp\Application Data\MailFrontier
2008-07-09 16:21:48 0 d-------- C:\WINDOWS\SQLTools9_KB948109_ENU
2008-07-09 16:20:24 0 d-------- C:\WINDOWS\SQL9_KB948109_ENU


-- Find3M Report ---------------------------------------------------------------

2008-08-08 06:54:04 0 d-------- C:\Program Files\Teamspeak2_RC2
2008-08-07 11:31:30 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-03 21:33:06 0 d-------- C:\Documents and Settings\Aitkemp\Application Data\Adobe
2008-07-24 13:18:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-15 16:42:19 0 d-------- C:\Program Files\Java
2008-07-09 16:21:55 0 d-------- C:\Program Files\Microsoft SQL Server
2008-07-07 23:40:16 0 d-------- C:\Documents and Settings\Aitkemp\Application Data\EVEMon
2008-07-06 11:07:43 0 d-------- C:\Documents and Settings\Aitkemp\Application Data\Skinux
2008-07-06 11:01:52 0 d-------- C:\Program Files\Kodak
2008-07-06 11:00:10 0 d-------- C:\Program Files\Common Files\Kodak
2008-07-06 10:58:56 0 d-------- C:\Program Files\Common Files
2008-07-01 21:55:40 0 d-------- C:\Program Files\Safari
2008-06-24 21:18:10 57296 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-21 11:55:34 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-18 20:34:22 0 d-------- C:\Documents and Settings\Aitkemp\Application Data\Macromedia
2008-06-18 12:24:13 0 d-------- C:\Documents and Settings\Aitkemp\Application Data\Mozilla


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c437c81-1f72-448e-8510-1c49bdeab7fe}]
C:\WINDOWS\system32\sxzvml.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8853D1E5-5CA5-4524-9ACF-DC2AD2BED01C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC6C9E58-B061-4223-A94D-A9304B062E7B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD19E3B6-FD31-43A4-8F64-AC3586EE1D03}]
25/07/2008 09:59 PM 323584 --------- C:\WINDOWS\system32\rqRHbxWp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/12/2007 01:41 AM]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [29/10/2002 09:18 AM]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [30/09/2002 01:00 AM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [11/05/2000 01:00 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [30/06/2004 01:33 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27 AM]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [23/04/2008 02:08 AM]
"@"="" []
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [23/03/2007 01:20 PM]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [29/09/2006 12:39 PM]
"nwiz"="nwiz.exe" [05/12/2007 01:41 AM C:\WINDOWS\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [11/08/2006 02:56 PM C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [11/08/2006 02:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [20/09/2007 08:51 AM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [23/08/2004 06:19 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [01/03/2007 02:57 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [05/12/2007 01:41 AM]
"AdobeVersionCue"="C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [13/10/2003 04:24 PM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/07/2008 09:05 AM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [10/07/2008 09:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [27/05/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/07/2008 10:47 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [12/08/2004 11:18 PM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [23/10/2007 02:18 PM]
"DriverUpdaterPro"="C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe" []
"EVEMon"="C:\Program Files\EVEMon\EVEMon.exe" [04/03/2008 11:44 PM]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [28/05/2008 10:33 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [6/08/2007 9:29:44 AM]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [20/10/2004 1:12:24 AM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [10/05/2008 7:15:28 AM]
Kodak Picture Transfer.lnk - C:\Program Files\Kodak\Kodak Utilities\PTS\Kodak Picture Transfer.exe [13/03/2007 12:02:18 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13/05/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\rqRHbxWp


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4bac7233-6187-11dc-9345-001111a0d17e}]
1\Command- .\recycled\info.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4da9fc67-6961-11dc-8d16-001111a0d17e}]
AutoRun\command- F:\LaunchU3.exe -a




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8940 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-08 12:50:02 ------------

And here is the Extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.40GHz
Percentage of Memory in Use: 28%
Physical Memory (total/avail): 3070.09 MiB / 2209.65 MiB
Pagefile Memory (total/avail): 5983.61 MiB / 5160.64 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1908.36 MiB

C: is Fixed (NTFS) - 69.23 GiB total, 19.92 GiB free.
D: is Fixed (NTFS) - 139.73 GiB total, 70.21 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - WDC WD1500AHFD-00RAR1 - 139.73 GiB - 1 partition
\PARTITION0 - Installable File System - 139.73 GiB - D:

\\.\PHYSICALDRIVE0 - WDC WD740ADFD-00NLR4 - 69.24 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 69.23 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
FirewallOverride is set.

FW: ZoneAlarm Security Suite Firewall v7.0.483.000 (Check Point, LTD.)
AV: ZoneAlarm Security Suite Antivirus v7.0.483.000 (Check Point, LTD.) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe:*:Enabled:Kaspersky AV Scanner"
"C:\\Program Files\\Kodak\\Kodak Utilities\\PTS\\Kodak Picture Transfer Service.exe"="C:\\Program Files\\Kodak\\Kodak Utilities\\PTS\\Kodak Picture Transfer Service.exe:*:Enabled:Kodak Picture Transfer Service.exe"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Aitkemp\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AITKEMP8400
ComSpec=C:\WINDOWS\system32\cmd.exe
CSILOGLEVEL=NORMAL
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Aitkemp
LOGONSERVER=\\AITKEMP8400
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier";C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\Common-Use Signing Interface\JRE\bin;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Aitkemp\LOCALS~1\Temp
TMP=C:\DOCUME~1\Aitkemp\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=AITKEMP8400
USERNAME=Aitkemp
USERPROFILE=C:\Documents and Settings\Aitkemp
VS80COMNTOOLS=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Aitkemp (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBAudigy2\Program\SETUP.EXE" /S /U /W
--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> MsiExec.exe /I{5B782FFA-6A95-480D-8E0A-0954A14693D6}
--> RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{416DFEDD-9F1B-4EFC-AF70-FCA891AE0251}\zidxp.exe"
--> RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{91A4AD99-69CE-4745-97B7-0E0DFBECFDE5}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{77ACE67A-0D21-4CEF-8A97-ED20A61B978B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{77ACE67A-0D21-4CEF-8A97-ED20A61B978B}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{01958032-9877-4118-B87F-9EFA74B3F15F}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D3E4251D-8364-4698-B0E0-A7C799384403}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
a-squared Free 3.5 --> "C:\Program Files\a-squared Free\unins000.exe"
ABBYY FineReader 5.0 Sprint --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
ABBYY FineReader 6.0 --> MsiExec.exe /I{AF600F7B-67A7-48D9-BA3B-0FF97F35F970}
Aces of the Galaxy --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39C2EACE-52B5-4EE2-B0E1-799827AB5C60}\acesofthegalaxySetup.exe" -l0x9 -removeonly
Adobe Acrobat 7.1.0 Standard --> msiexec /I {AC76BA86-1033-0000-BA7E-000000000002}
Adobe Creative Suite --> C:\PROGRA~1\INSTAL~1\{D52EC~1\setup.exe /Relaunched=yes /Uninstall /Relaunched=yes
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop Elements 3.0 --> MsiExec.exe /I{851C67EF-068A-4060-9EF5-2E3DDCD68382}
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}
Apple Software Update --> MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Broadcom Gigabit Integrated Controller --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9} /l1033
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Color Matching System --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0307120-889A-11D8-8627-00055DFD8F8E}\setup.exe"
Comic Life --> MsiExec.exe /X{BB148BFF-D96D-48B6-9B4A-243DCC6DD444}
Common-Use Signing Interface --> "C:\Documents and Settings\All Users\Application Data\{53608B89-D534-4FA6-B348-02EF7D3C693C}\CSI Installer.exe" REMOVE=TRUE MODIFY=FALSE
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Creative Audio Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9 /remove
CSI Management Utility --> C:\Program Files\CSI\Uninstall.exe
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
ECI Client v5.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{937C6F96-CEA5-4B97-848D-1328BD8D59D4}\setup.exe" -l0x9 -uninst -removeonly
EFILive V7.5 --> "C:\Documents and Settings\All Users\Application Data\{CA7FCF0C-8B0B-4C6D-9391-5D9C0D96FF0D}\EFILiveV7.5.4.exe" REMOVE=TRUE MODIFY=FALSE
EFILive V7.5 --> C:\Documents and Settings\All Users\Application Data\{CA7FCF0C-8B0B-4C6D-9391-5D9C0D96FF0D}\EFILiveV7.5.4.exe
Emdat Runtime Components - Version 1.4.499 (Admin) --> rundll32.exe advpack.dll,LaunchINFSection C:\PROGRA~1\Emdat\RUNTIM~1\V14~1.499\A1\uninstall.inf,DefaultUninstall,1
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{42938595-0D83-404D-9F73-F8177FDD531A}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC --> MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt --> MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
EVE-ONLINE (remove only) --> C:\Program Files\CCP\EVEb\Uninstall.exe
EVEMon --> C:\Program Files\EVEMon\uninstall.exe
GDR 3068 for SQL Server Database Services 2005 ENU (KB948109) --> C:\WINDOWS\SQL9_KB948109_ENU\Hotfix.exe /Uninstall
GDR 3068 for SQL Server Tools and Workstation Components 2005 ENU (KB948109) --> C:\WINDOWS\SQLTools9_KB948109_ENU\Hotfix.exe /Uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® Matrix Storage Manager --> C:\WINDOWS\System32\Imsmudlg.exe
iTunes --> MsiExec.exe /I{3DE0053C-FD9A-483E-B7C9-B06E4392206E}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
kgcbaby --> MsiExec.exe /I{E18B549C-5D15-45DA-8D8F-8FD2BD946344}
kgcbase --> MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
kgchday --> MsiExec.exe /I{11F3F858-4131-4FFA-A560-3FE282933B6E}
kgchlwn --> MsiExec.exe /I{03EDED24-8375-407D-A721-4643D9768BE1}
kgcinvt --> MsiExec.exe /I{9BD54685-1496-46A5-AB62-357CD140ED8B}
kgckids --> MsiExec.exe /I{693C08A7-9E76-43FF-B11E-9A58175474C4}
kgcmove --> MsiExec.exe /I{A1588373-1D86-4D44-86C9-78ABD190F9CC}
kgcvday --> MsiExec.exe /I{8A8664E1-84C8-4936-891C-BC1F07797549}
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140002_3e3b89a\Setup.exe /APR-REMOVE
medfiltr --> MsiExec.exe /I{8D9702F1-1BEB-4F51-96CC-2E9B5A000FA1}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Device Emulator version 1.0 - ENU --> MsiExec.exe /X{78B75C6D-E53C-424C-BF83-4B63BD4A6682}
Microsoft Document Explorer 2005 --> C:\Program Files\Common Files\Microsoft Shared\Help 8\Microsoft Document Explorer 2005\install.exe
Microsoft Document Explorer 2005 --> MsiExec.exe /X{44D4AF75-6870-41F5-9181-662EA05507E1}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server 2005 --> "C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS) --> MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools --> MsiExec.exe /X{1389C6A4-4965-4AEC-9175-08B54A10FA48}
Microsoft SQL Server 2005 Tools Express Edition --> MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft User-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Microsoft Visual J# 2.0 Redistributable Package --> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Microsoft Visual Studio 2005 Professional Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Studio 2005 Professional Edition - ENU\setup.exe
Microsoft Visual Studio 2005 Professional Edition - ENU Service Pack 1 (KB926601) --> C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {D93F9C7C-AB57-44C8-BAD6-1494674BCAF7} /package {437AB8E0-FB69-4222-B280-A64F3DE22591}
Microtek Scanner ICC Profiler --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4A344E44-3337-11D9-8629-00055DFD8F8E}\setup.exe"
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSDN Library for Visual Studio 2005 --> msiexec /i {23959E96-A80F-4172-A655-210E9BB7BFBE}
MSDN Library for Visual Studio 2005 --> MsiExec.exe /X{23959E96-A80F-4172-A655-210E9BB7BFBE}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MYOB Accounting Plus v17 --> C:\Program Files\InstallShield Installation Information\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\setup.exe -runfromtemp -l0x0409
MYOB BusinessBasics v1 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{27870A7B-2049-4978-96BC-0A1F30F5ECB8}
MYOB ODBC Direct v7 --> C:\Program Files\InstallShield Installation Information\{C71F2873-3229-4A9E-A2A2-F14DCBF63F56}\setup.exe -runfromtemp -l0x0409
Nero 8 --> MsiExec.exe /X{9EDBB857-8028-49CD-B9C9-0B4D10CD1033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
netbrdg --> MsiExec.exe /I{4537EA4B-F603-4181-89FB-2953FC695AB1}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{972B1D9B-0EAD-49E8-B7D6-3B83FD5665B1}
Nokia PC Suite --> C:\Documents and Settings\All Users\Application Data\Installations\{57A48477-92F0-4C1F-ADF9-4806C4EC3CF2}\Nokia_PC_Suite_683_rel_14_1_APAC.exe /LANG="2057"
Nokia PC Suite --> MsiExec.exe /I{57A48477-92F0-4C1F-ADF9-4806C4EC3CF2}
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
oggcodecs 0.71.0946 --> C:\Program Files\illiminable\oggcodecs\uninst.exe
OpenAL --> "C:\Program Files\OpenAL\OpenALwEAX.exe" /U
PC Connectivity Solution --> MsiExec.exe /I{066D65EA-ED53-44E4-A96A-F81B6E409D2E}
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerDVD 5.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PTS --> MsiExec.exe /I{167E980B-3197-409F-ABD6-971165C769C3}
PuTTY version 0.60 --> "C:\Program Files\PuTTY\unins000.exe"
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Ricky Ponting International Cricket 2007 --> C:\Program Files\InstallShield Installation Information\{F218E3AA-F9A7-4ABF-9A7A-E5763905E2CA}\setup.exe -runfromtemp -l0x0009 -removeonly
Safari --> MsiExec.exe /I{C9D96682-5A4D-45FA-BA3E-DDCB2B0CB868}
ScanWizard Pro --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1334AAA-5C3E-11D6-8FC3-0080C85A0C2D}\setup.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937061) --> C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {94E2AAC1-CAE5-4F73-B0D1-C471BA1F8E2A} /package {437AB8E0-FB69-4222-B280-A64F3DE22591}
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
Showroom Direct --> C:\WINDOWS\system32\javaws.exe -uninstall -prompt "http://tjunction.toyota.com.au/showroomV2/s3direct.jnlp"
SilverFast Ai CD Documentation 6.2.0 --> "C:\Program Files\LaserSoft\unins000.exe"
SilverFast MicroSDK --> "C:\Program Files\LaserSoft\SilverFast MicroSDK\unins000.exe"
SilverFast MicroSDK TWAIN --> "C:\WINDOWS\twain_32\LaserSoft\SilverFast MicroSDK\unins000.exe"
skin0001 --> MsiExec.exe /I{5316DFC9-CE99-4458-9AB3-E8726EDE0210}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Sound Blaster Audigy 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E82BF103-904F-49C0-B77F-6EC110B71E87}\SETUP.EXE" -l0x9
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.EXE" -l0x9
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
staticcr --> MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
TeamSpeak 2 Server RC2 --> "C:\Program Files\Teamspeak2_RC2\unins001.exe"
tooltips --> MsiExec.exe /I{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Ventrilo Server --> MsiExec.exe /I{1D46A3A0-B37D-423A-91C2-101A49E2FF80}
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_039E7E24575DBAE6A389611AF28F4EB97729D33E\pccswpddriver.inf
Windows Driver Package - Nokia Modem (02/15/2007 3.1) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccs_bluet_8B37DC72918CCD58A6EC20373AF6242B037A293B\pccs_bluetooth.inf
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_4EFFAAE27A08EDFDE145390033D8EF099DA65567\nokbtmdm.inf
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
ZoneAlarm Security Suite --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type8953 / Warning
Event Submitted/Written: 08/08/2008 00:49:42 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}', feature 'BASlink_SysFiles' failed during request for component '{D802586C-F109-4B89-B5CF-6EF02E55BE6C}'

Event Record #/Type8952 / Warning
Event Submitted/Written: 08/08/2008 00:49:42 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}', feature 'Main_Program_Files', component '{A8A1495F-36E5-11D2-B15A-00C04F990B2B}' failed. The resource 'C:\WINDOWS\system32\msflxgrd.ocx' does not exist.

Event Record #/Type8950 / Warning
Event Submitted/Written: 08/08/2008 00:49:38 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}', feature 'BASlink_SysFiles' failed during request for component '{D802586C-F109-4B89-B5CF-6EF02E55BE6C}'

Event Record #/Type8949 / Warning
Event Submitted/Written: 08/08/2008 00:49:38 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}', feature 'Main_Program_Files', component '{A8A1495F-36E5-11D2-B15A-00C04F990B2B}' failed. The resource 'C:\WINDOWS\system32\msflxgrd.ocx' does not exist.

Event Record #/Type8947 / Error
Event Submitted/Written: 08/08/2008 00:49:38 PM
Event ID/Source: 11706 / MsiInstaller
Event Description:
Product: MYOB Accounting Plus v17 -- Error 1706.No valid source could be found for product MYOB Accounting Plus v17. The Windows Installer cannot continue.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4110 / Error
Event Submitted/Written: 08/08/2008 07:18:17 AM
Event ID/Source: 1003 / System Error
Event Description:
Error code 1000008e, parameter1 c0000005, parameter2 b9f46911, parameter3 a7714280, parameter4 00000000.

Event Record #/Type4089 / Warning
Event Submitted/Written: 08/08/2008 07:16:24 AM / 08/08/2008 07:16:52 AM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type4084 / Error
Event Submitted/Written: 08/08/2008 07:13:36 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type4083 / Error
Event Submitted/Written: 08/08/2008 06:57:23 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type4080 / Error
Event Submitted/Written: 08/08/2008 06:56:10 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}



-- End of Deckard's System Scanner: finished at 2008-08-08 12:50:02 ------------


I would appreciate any help to rid myself of this horrible thing!

Cheers
Paul

BC AdBot (Login to Remove)

 


m

#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 08 August 2008 - 04:10 PM

Hi

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 paitkenhead

paitkenhead
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 08 August 2008 - 09:53 PM

Thanks very much steam for your help with this. I really appreciate it. Please find below the logs as requested.

Kaspersky Online Scan Log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 9, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 08, 2008 23:57:25
Records in database: 1070732
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 308939
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:48:09


File name / Threat name / Threats count
C:\WINDOWS\system32\mirzeb.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.chh 1
C:\WINDOWS\system32\rjfotgtl.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.chh 1
D:\Install Downloads\Nero-8.1.1.4_eng_trial.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1

The selected area was scanned.


Malware Bytes log:
Malwarebytes' Anti-Malware 1.24
Database version: 1034
Windows 5.1.2600 Service Pack 2

11:34:14 AM 9/08/2008
mbam-log-8-9-2008 (11-34-14).txt

Scan type: Quick Scan
Objects scanned: 45841
Time elapsed: 5 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\rqRHbxWp.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6c437c81-1f72-448e-8510-1c49bdeab7fe} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6c437c81-1f72-448e-8510-1c49bdeab7fe} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fd19e3b6-fd31-43a4-8f64-ac3586ee1d03} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fd19e3b6-fd31-43a4-8f64-ac3586ee1d03} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6230596f-3a44-4cdf-815b-372fa03c75d6} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrhbxwp -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrhbxwp -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\sxzvml.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRHbxWp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\pWxbHRqr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pWxbHRqr.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUmMcCS.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\clbdriver.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


Combofix Log:
ComboFix 08-08-08.07 - Aitkemp 2008-08-09 11:51:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2584 [GMT 10:00]
Running from: C:\Documents and Settings\Aitkemp\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Aitkemp\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Aitkemp\Application Data\macromedia\Flash Player\#SharedObjects\YKPGVCND\interclick.com
C:\Documents and Settings\Aitkemp\Application Data\macromedia\Flash Player\#SharedObjects\YKPGVCND\interclick.com\ud.sol
C:\Documents and Settings\Aitkemp\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Aitkemp\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\mirzeb.dll
C:\WINDOWS\system32\rjfotgtl.dll
C:\WINDOWS\system32\setup.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.

2008-08-09 11:26 . 2008-08-09 11:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 11:26 . 2008-08-09 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 11:26 . 2008-08-09 11:26 <DIR> d-------- C:\Documents and Settings\Aitkemp\Application Data\Malwarebytes
2008-08-09 11:26 . 2008-07-30 20:15 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 11:26 . 2008-07-30 20:15 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-08 12:48 . 2008-08-08 12:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-08 12:45 . 2008-08-08 12:45 <DIR> d-------- C:\Deckard
2008-08-07 11:31 . 2008-08-07 11:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-07 11:31 . 2008-08-07 18:00 <DIR> d-------- C:\Program Files\a-squared Free
2008-08-07 11:31 . 2008-08-07 11:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-07 11:31 . 2008-08-07 11:31 <DIR> d-------- C:\Documents and Settings\Aitkemp\Application Data\SUPERAntiSpyware.com
2008-08-07 10:24 . 2008-08-07 10:24 <DIR> d-------- C:\VundoFix Backups
2008-08-06 06:13 . 2008-08-06 06:13 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-06 06:11 . 2008-08-06 06:11 <DIR> d-------- C:\Program Files\iTunes
2008-08-06 06:11 . 2008-08-06 06:11 <DIR> d-------- C:\Program Files\iPod
2008-08-01 06:00 . 2008-08-01 06:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-01 06:00 . 2008-08-01 06:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-01 05:51 . 2008-08-01 05:59 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-31 20:08 . 2008-07-31 20:08 <DIR> d-------- C:\Program Files\Emdat
2008-07-24 15:18 . 2008-07-24 15:18 34,816 --a------ C:\WINDOWS\system32\clbdll.dll.vzr
2008-07-24 15:18 . 2004-08-12 23:17 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-24 13:19 . 2008-07-24 13:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-07-24 13:18 . 2008-07-24 13:18 <DIR> d-------- C:\Program Files\Sierra Online
2008-07-22 20:31 . 2008-07-22 20:31 <DIR> d-------- C:\Program Files\EFILive
2008-07-22 20:30 . 2008-08-08 06:54 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{CA7FCF0C-8B0B-4C6D-9391-5D9C0D96FF0D}
2008-07-16 07:35 . 2008-07-16 07:35 <DIR> d--h----- C:\C_DILLA
2008-07-16 07:35 . 2008-07-16 07:35 8,864 --a------ C:\WINDOWS\system32\drivers\CDAC15BA.SYS
2008-07-15 22:06 . 2008-07-15 22:06 <DIR> d-------- C:\Program Files\Bonjour
2008-07-15 22:05 . 2008-07-15 22:05 <DIR> d-------- C:\Program Files\QuickTime
2008-07-15 16:29 . 2008-08-09 11:44 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-07-15 14:03 . 2008-07-15 16:50 <DIR> d-------- C:\Documents and Settings\Aitkemp\Application Data\MailFrontier
2008-07-09 16:21 . 2008-07-09 16:21 <DIR> d-------- C:\WINDOWS\SQLTools9_KB948109_ENU
2008-07-09 16:20 . 2008-07-09 16:20 <DIR> d-------- C:\WINDOWS\SQL9_KB948109_ENU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 02:20 21,120,544 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-09 02:15 285,956 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-07 20:54 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-08-07 01:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-24 03:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-15 06:42 --------- d-----w C:\Program Files\Java
2008-07-15 03:38 --------- d-----w C:\Program Files\Zone Labs
2008-07-09 06:21 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-08 23:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-07-07 13:40 --------- d-----w C:\Documents and Settings\Aitkemp\Application Data\EVEMon
2008-07-06 01:07 --------- d-----w C:\Documents and Settings\Aitkemp\Application Data\Skinux
2008-07-06 01:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-07-06 01:01 --------- d-----w C:\Program Files\Kodak
2008-07-06 01:00 --------- d-----w C:\Program Files\Common Files\Kodak
2008-07-01 11:55 --------- d-----w C:\Program Files\Safari
2008-06-21 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Macrovision
2008-06-21 01:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-01-17 23:42 4 --sh--r C:\Documents and Settings\All Users\Application Data\sysqcl1129139270.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector" [X]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 23:18 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 14:18 202024]
"EVEMon"="C:\Program Files\EVEMon\EVEMon.exe" [2008-03-04 23:44 847872]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 09:18 49152]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 01:00 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 13:33 1388544]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 12:39 151552]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 08:51 1836328]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 18:19 57344]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"AdobeVersionCue"="C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 16:24 1732608]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 23:18 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 11:17 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2007-08-06 09:29:44 25214]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-20 01:12:24 110592]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 07:15:28 282624]
Kodak Picture Transfer.lnk - C:\Program Files\Kodak\Kodak Utilities\PTS\Kodak Picture Transfer.exe [2007-03-13 12:02:18 7008256]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"C:\\Program Files\\Kodak\\Kodak Utilities\\PTS\\Kodak Picture Transfer Service.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 pe3agnqb;Cricket 2007 Environment Driver (pe3agnqb);C:\WINDOWS\system32\drivers\pe3agnqb.sys [2007-03-04 02:57]
R0 ps6agnqb;Cricket 2007 Synchronization Driver (ps6agnqb);C:\WINDOWS\system32\drivers\ps6agnqb.sys [2007-03-04 02:57]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-07 01:11]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-20 04:47]
R2 KODAK Picture Transfer Agent;Kodak picture transfer agent;C:\Program Files\Kodak\Kodak Utilities\PTS\Kodak Picture Transfer Service.exe [2007-03-13 12:02]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-20 03:40]
S2 pr2agnqb;Cricket 2007 Drivers Auto Removal (pr2agnqb);C:\WINDOWS\system32\pr2agnqb.exe svc []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 06:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4da9fc67-6961-11dc-8d16-001111a0d17e}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-08-05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-03 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2004-08-12 23:27]

2008-08-02 C:\WINDOWS\Tasks\EFILive V7.5 Updates.job
- C:\WINDOWS\Installer\EFILive V7.5 Updates for All Users.lnk [2008-07-22 20:31]
.
- - - - ORPHANS REMOVED - - - -

BHO-{6c437c81-1f72-448e-8510-1c49bdeab7fe} - (no file)
BHO-{8853D1E5-5CA5-4524-9ACF-DC2AD2BED01C} - (no file)
BHO-{CC6C9E58-B061-4223-A94D-A9304B062E7B} - (no file)
BHO-{FD19E3B6-FD31-43A4-8F64-AC3586EE1D03} - (no file)
HKCU-Run-DriverUpdaterPro - C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe
HKLM-Run-Adobe Photo Downloader - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Aitkemp\Application Data\Mozilla\Firefox\Profiles\n3t0lhqz.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://mail.google.com/mail/
FF -: plugin - C:\Program Files\Common-Use Signing Interface\bin\npCsiPlugin.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 12:19:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-08-09 12:46:10 - machine was rebooted [Aitkemp]
ComboFix-quarantined-files.txt 2008-08-09 02:45:24

Pre-Run: 21,011,587,072 bytes free
Post-Run: 21,382,139,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

224 --- E O F --- 2008-07-25 05:14:20

#4 paitkenhead

paitkenhead
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 08 August 2008 - 10:21 PM

Followup - So far all seems good. No more pop-ups and the security centre message has disappeared!

Thanks very much for your assistance steam - I've made a donation via PayPal.

Cheers,
Paul

#5 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 09 August 2008 - 03:33 PM

Hi Paul

Still a little bit of cleaning up to do :thumbsup:

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\clbdll.dll.vzr

DirLook::
C:\Documents and Settings\All Users\Application Data\{CA7FCF0C-8B0B-4C6D-9391-5D9C0D96FF0D}


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

THEN...

It looks as though you had/have a flash drive infection ...

Please run this Flash_Disinfector tool by sUBs ...

http://www.techsupportforum.com/sectools/s...Disinfector.exe

Just download the exe file and double click on it to run it...then follow instructions

A box will pop up telling you to plug in your flash drive and click OK to start the disinfection ... by the way if you try to cross the box of with the X in the corner ... it will run anyway ... after a few seconds a box will pop up saying "done"

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
-
When you have done that ... please download "Mountpoints Diagnostic.zip" by Mosaic1

http://www.help2go.com/index2.php?option=c...oad&id=1450

Unzip it & Double click to run it. It will create a report named Diagnostic.txt. When finished, upload Diagnostic.txt in your next post ...

THEN ...

Your ZoneAlarm Security Suite Antivirus v7.0.483.000 (Check Point, LTD.) is Disabled ... what av are you using ?

If you want an alternative FREE anti-virus try ONE of these :-

AVG FREE > http://free.avg.com/ww.download-avg-anti-virus-free-edition

Avira Antivirus Classic (free): > http://www.free-av.com/

Here is an excellent Guide to its installation and use:-
http://www.techsupportforum.com/content/Se...rticles/64.html

AVAST! > http://www.avast.com/eng/avast_4_home.html

Only Install one & make sure you get the latest updates once installed...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#6 paitkenhead

paitkenhead
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 09 August 2008 - 04:40 PM

Thanks again for your help. I have pasted the logs below. With regards to Zonealarm Security Suite - it was disabled only to allow the running of the diagnostic / anti-virus packages requested. Warnings from Kaspersky Online Scanner etc. suggested that they wouldn't run properly unless all other anti-virus programs were turned off etc. It is normally always active, and is a fully paid and up to date package.

You will note that in this combofix log it suggests that I don't have the recovery console installed, even though I installed it as per instructions before running combofix the first time. I don't know if this is significant but thought I'd highlight it.

Also, when combo fix was running the system appeared as though it was trying to install MYOB Accounting Plus again. It would ask for the disks etc. then cancel itself a few times.

Cheers
Paul

p.s. will have to post the logs via seperate posts as it is too long to post together.

#7 paitkenhead

paitkenhead
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 09 August 2008 - 04:43 PM

Had to upload the combo fix log as it was too large to post.


Here is the Mountpoint Diagnostic report:

Diagnostic Report
Sun 10/08/2008 7:31:38.12

Mountpoints > Drives subkeys:
------------------------------------

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1d8dd58d-333e-11dc-8bf7-001111a0d17e}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\
5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1d8dd58d-333e-11dc-8bf7-001111a0d17e}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1d8dd58d-333e-11dc-8bf7-001111a0d17e}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1d8dd58d-333e-11dc-8bf7-001111a0d17e}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4da9fc1c-6961-11dc-8d16-001111a0d17e}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\
5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4da9fc1c-6961-11dc-8d16-001111a0d17e}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4da9fc1c-6961-11dc-8d16-001111a0d17e}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4da9fc1c-6961-11dc-8d16-001111a0d17e}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4da9fc27-6961-11dc-8d16-001111a0d17e}]
"BaseClass"="Drive"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4da9fc67-6961-11dc-8d16-001111a0d17e}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,ee,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,20,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4da9fc67-6961-11dc-8d16-001111a0d17e}\Shell]
@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4da9fc67-6961-11dc-8d16-001111a0d17e}\Shell\AutoRun]
@="Auto&Play"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4da9fc67-6961-11dc-8d16-001111a0d17e}\Shell\AutoRun\command]
@="F:\\LaunchU3.exe -a"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4da9fc67-6961-11dc-8d16-001111a0d17e}\_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4da9fc67-6961-11dc-8d16-001111a0d17e}\_Autorun\DefaultIcon]
@="F:\\LaunchU3.exe,0"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4da9fc68-6961-11dc-8d16-001111a0d17e}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,01,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,08,00,00,00

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{674cb7eb-5376-11dc-933c-001111a0d17e}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{674cb7eb-5376-11dc-933c-001111a0d17e}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{674cb7eb-5376-11dc-933c-001111a0d17e}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{674cb7eb-5376-11dc-933c-001111a0d17e}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b26f5752-614d-11dd-99d5-001111a0d17e}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\
5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b26f5752-614d-11dd-99d5-001111a0d17e}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b26f5752-614d-11dd-99d5-001111a0d17e}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b26f5752-614d-11dd-99d5-001111a0d17e}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cd2511c8-7b13-11dc-8d23-001111a0d17e}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,08,00,00,00

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dbc73cb4-304c-11dc-8578-c62b061be2ef}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\
5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dbc73cb4-304c-11dc-8578-c62b061be2ef}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dbc73cb4-304c-11dc-8578-c62b061be2ef}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dbc73cb4-304c-11dc-8578-c62b061be2ef}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e267d1cc-4472-11dc-9334-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,df,df,df,5f,df,df,00,5f,5f,5f,5f,5f,5f,5f,5f,\
5f,5f,00,01,00,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e267d1cc-4472-11dc-9334-806d6172696f}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e267d1cc-4472-11dc-9334-806d6172696f}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e267d1cc-4472-11dc-9334-806d6172696f}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e2f3a9ae-50f6-11dc-933a-001111a0d17e}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\
5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e2f3a9ae-50f6-11dc-933a-001111a0d17e}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e2f3a9ae-50f6-11dc-933a-001111a0d17e}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e2f3a9ae-50f6-11dc-933a-001111a0d17e}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e38e6bc2-309e-11dc-8576-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,60,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e38e6bc2-309e-11dc-8576-806d6172696f}\_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e38e6bc2-309e-11dc-8576-806d6172696f}\_Autorun\DefaultIcon]
@="E:\\setup.exe,0"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e38e6bc3-309e-11dc-8576-f1bc4f5e87ae}]
"BaseClass"="Drive"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e97ca5f6-309d-11dc-908a-806d6172696f}]
"BaseClass"="Drive"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e97ca5f7-309d-11dc-908a-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\
cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,df,df,df,5f,df,df,00,5f,5f,5f,5f,5f,5f,5f,5f,\
5f,5f,00,01,00,00,00,08,00,00,00
"_CommentFromDesktopINI"=""

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f5750dc0-3256-11dc-8bf7-001111a0d17e}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\
5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f5750dc0-3256-11dc-8bf7-001111a0d17e}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f5750dc0-3256-11dc-8bf7-001111a0d17e}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f5750dc0-3256-11dc-8bf7-001111a0d17e}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f9c2a813-94bf-11dc-9d0e-001111a0d17e}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\
5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f9c2a813-94bf-11dc-9d0e-001111a0d17e}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f9c2a813-94bf-11dc-9d0e-001111a0d17e}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f9c2a813-94bf-11dc-9d0e-001111a0d17e}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

~~~~~~~~~~~~~~~~~~~~~~~~~
No Autorun files found in C:\WINDOWS

No Autorun files found in C:\WINDOWS\system32

C:\autorun.inf **folder** found
Files in C:\autorun.inf
lpt3.This folder was created by Flash_Disinfector



D:\autorun.inf **folder** found
Files in D:\autorun.inf
lpt3.This folder was created by Flash_Disinfector



F:\autorun.inf **folder** found
Files in F:\autorun.inf
lpt3.This folder was created by Flash_Disinfector

Attached Files



#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 09 August 2008 - 05:28 PM

Hi

The Combofix log is clean :thumbsup:

So is the mountpoints log :)

DSS showed a possible infection with this entry :-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4bac7233-6187-11dc-9345-001111a0d17e}]
1\Command- .\recycled\info.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\recycled\info.exe

But the mountpoints log confirms it's no longer there ...

RE: Recovery console ...

Your first Combofix log confirms you attempted to install the Recovery console, with this in the header :-

Running from: C:\Documents and Settings\Aitkemp\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Aitkemp\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

& at the end of your log is a readout of the Boot.ini file, which should confirm installation ... but it doesn't, it only confirms a partial install ...

A timeout of 2 seconds has been added by Combofix - timeout=2

Your Boot.ini reads thus :-

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

With the Recovery console installed it should also include the line in red ..

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

I'm going to ask the author of Combofix for his thoughts on this, then get back to you.

As for "Also, when combo fix was running the system appeared as though it was trying to install MYOB Accounting Plus again. It would ask for the disks etc. then cancel itself a few times." ... I've no idea what was going on here ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 paitkenhead

paitkenhead
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 09 August 2008 - 05:41 PM

Thanks heaps mate - I've now let out an audible sigh of relief!

Cheers,
Paul

#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 10 August 2008 - 02:59 PM

HI Paul

As a follow up to why Recovery Console didn't install, I'd like you to run a batch file for me please ...

Open a new Notepad ... Copy & paste the text from the code box below into it ...

@echo off
Dir /a/s C:\Cmdcons >temp00
zip boot C:\boot.ini C:\boot.bak temp00
Del temp00
del %0

save it on the desktop & save it as bootini.bat

Doubleclick the bat file, if you get a popup saying a script is trying to run, please let it...

It will create a zip file on the desktop called Boot.zip

Please attach the zip file to your next post :thumbsup:

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#11 paitkenhead

paitkenhead
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 10 August 2008 - 04:29 PM

Here is the boot.zip as requested. Also, I only just noticed that I hadn't sent you the HiJack This log you had requested earlier. Sorry about that. You will find it below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:42 AM, on 10/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Kodak\Kodak Utilities\PTS\Kodak Picture Transfer Service.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://61.9.222.148/Remote/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.smh.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EVEMon] "C:\Program Files\EVEMon\EVEMon.exe" -startMinimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak Picture Transfer.lnk = C:\Program Files\Kodak\Kodak Utilities\PTS\Kodak Picture Transfer.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.emdat.com
O15 - Trusted Zone: *.mytranscriptions.com
O15 - Trusted Zone: *.emdat.com (HKLM)
O15 - Trusted Zone: *.mytranscriptions.com (HKLM)
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://10.0.0.1/ConnectComputer/nshelp.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184234810437
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://10.0.0.1/Remote/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.3.2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{172DA0CD-1B0D-4FD2-85E8-87FDE485EC44}: Domain = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{172DA0CD-1B0D-4FD2-85E8-87FDE485EC44}: NameServer = 144.140.70.30,144.140.71.16
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak picture transfer agent (KODAK Picture Transfer Agent) - Eastman Kodak Company - C:\Program Files\Kodak\Kodak Utilities\PTS\Kodak Picture Transfer Service.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Cricket 2007 Drivers Auto Removal (pr2agnqb) (pr2agnqb) - Codemasters - C:\WINDOWS\system32\pr2agnqb.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12285 bytes

Attached Files

  • Attached File  boot.zip   3.26KB   42 downloads


#12 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 11 August 2008 - 03:47 PM

HI Paul

Your hijackthis log is clean ...

Thanks for uploading the boot.zip file

You can see it's generated a fair bit of interest from the experts, by the number of downloads (15)

It turns out the reason Combofix did not install the Recovery Console properly was because your original boot.ini file had an error in it ... out of interest, have you edited the boot.ini file yourself at any time in the past ?

Anyway sUBs (the author of Combofix) has updated CF to compensate for the error ... So I'd like you to try and install it again...

1. FIRST ... please find the C:\CmdCons folder & delete it

2. THEN ...Delete the Combofix.exe file from your desktop

3. Then download a new updated version of Combofix to your desktop

4. then drag & drop the WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe onto the Combofix.exe file again

5. Let Combofix run & post the new log please ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#13 paitkenhead

paitkenhead
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 11 August 2008 - 04:44 PM

I'm pleased my system anomalies are generating so much interest from the experts - makes me feel special (just like I'd feel if I returned from South America with an exotic parasite or something).

Combofix ran much more smoothly this time. When it has run previously the system beeped regularly throughout the process, but this time it ran smoothly and quickly. I was a little concerned when part way through my AV through a detection up, but I gather this EICAR-Test virus is part of the process! Phew.

Thanks once again for all your help.




Please find below my combofix log:

ComboFix 08-08-10.05 - Aitkemp 2008-08-12 7:13:19.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1748 [GMT 10:00]
Running from: C:\Documents and Settings\Aitkemp\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Aitkemp\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.

2008-08-09 11:26 . 2008-08-09 11:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 11:26 . 2008-08-09 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 11:26 . 2008-08-09 11:26 <DIR> d-------- C:\Documents and Settings\Aitkemp\Application Data\Malwarebytes
2008-08-09 11:26 . 2008-07-30 20:15 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 11:26 . 2008-07-30 20:15 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-08 12:48 . 2008-08-08 12:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-08 12:45 . 2008-08-08 12:45 <DIR> d-------- C:\Deckard
2008-08-07 11:31 . 2008-08-07 11:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-07 11:31 . 2008-08-09 18:29 <DIR> d-------- C:\Program Files\a-squared Free
2008-08-07 11:31 . 2008-08-07 11:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-07 11:31 . 2008-08-07 11:31 <DIR> d-------- C:\Documents and Settings\Aitkemp\Application Data\SUPERAntiSpyware.com
2008-08-07 10:24 . 2008-08-07 10:24 <DIR> d-------- C:\VundoFix Backups
2008-08-06 06:13 . 2008-08-06 06:13 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-06 06:11 . 2008-08-06 06:11 <DIR> d-------- C:\Program Files\iTunes
2008-08-06 06:11 . 2008-08-06 06:11 <DIR> d-------- C:\Program Files\iPod
2008-08-01 06:00 . 2008-08-09 19:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-01 06:00 . 2008-08-09 19:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-01 05:51 . 2008-08-01 05:59 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-31 20:08 . 2008-07-31 20:08 <DIR> d-------- C:\Program Files\Emdat
2008-07-24 15:18 . 2004-08-12 23:17 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-24 13:19 . 2008-07-24 13:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-07-24 13:18 . 2008-07-24 13:18 <DIR> d-------- C:\Program Files\Sierra Online
2008-07-22 20:31 . 2008-07-22 20:31 <DIR> d-------- C:\Program Files\EFILive
2008-07-22 20:30 . 2008-08-08 06:54 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{CA7FCF0C-8B0B-4C6D-9391-5D9C0D96FF0D}
2008-07-16 07:35 . 2008-07-16 07:35 <DIR> d--h----- C:\C_DILLA
2008-07-16 07:35 . 2008-07-16 07:35 8,864 --a------ C:\WINDOWS\system32\drivers\CDAC15BA.SYS
2008-07-15 22:06 . 2008-07-15 22:06 <DIR> d-------- C:\Program Files\Bonjour
2008-07-15 22:05 . 2008-07-15 22:05 <DIR> d-------- C:\Program Files\QuickTime
2008-07-15 16:29 . 2008-08-12 07:07 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-07-15 14:03 . 2008-07-15 16:50 <DIR> d-------- C:\Documents and Settings\Aitkemp\Application Data\MailFrontier

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-11 21:16 26,290,464 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-09 09:33 352,916 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-07 20:54 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-08-07 03:44 2,168,320 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-08-07 01:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-07 00:33 2,164,736 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-08-06 21:04 2,156,544 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-07-26 03:01 2,686,976 ----a-w C:\WINDOWS\Internet Logs\xDB233.tmp
2008-07-24 03:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-17 06:57 165,376 ----a-w C:\WINDOWS\Internet Logs\xDB294.tmp
2008-07-15 06:42 --------- d-----w C:\Program Files\Java
2008-07-15 03:38 --------- d-----w C:\Program Files\Zone Labs
2008-07-09 06:21 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-08 23:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-07-08 23:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-07 13:40 --------- d-----w C:\Documents and Settings\Aitkemp\Application Data\EVEMon
2008-07-06 01:07 --------- d-----w C:\Documents and Settings\Aitkemp\Application Data\Skinux
2008-07-06 01:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-07-06 01:01 --------- d-----w C:\Program Files\Kodak
2008-07-06 01:00 --------- d-----w C:\Program Files\Common Files\Kodak
2008-07-01 11:55 --------- d-----w C:\Program Files\Safari
2008-06-21 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Macrovision
2008-06-21 01:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-01-17 23:42 4 --sh--r C:\Documents and Settings\All Users\Application Data\sysqcl1129139270.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-09_12.23.37.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-28 21:30:34 10,134 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\AccPlusv17Full_Hel_89D94B114C0A44E4A8FAA6F5BD107043.exe
+ 2008-08-10 06:59:18 10,134 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\AccPlusv17Full_Hel_89D94B114C0A44E4A8FAA6F5BD107043.exe
- 2007-10-28 21:30:34 65,536 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\ARPPRODUCTICON.exe
+ 2008-08-10 06:59:18 65,536 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\ARPPRODUCTICON.exe
- 2007-10-28 21:30:34 65,536 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\DesktopPremEntv5_89D94B114C0A44E4A8FAA6F5BD107043.exe
+ 2008-08-10 06:59:18 65,536 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\DesktopPremEntv5_89D94B114C0A44E4A8FAA6F5BD107043.exe
- 2007-10-28 21:30:34 10,134 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\Full_Help_3ED730ABA82440AE91909B80EA761181.exe
+ 2008-08-10 06:59:18 10,134 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\Full_Help_3ED730ABA82440AE91909B80EA761181.exe
- 2007-10-28 21:30:34 135,168 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\NewShortcut6_89D94B114C0A44E4A8FAA6F5BD107043.exe
+ 2008-08-10 06:59:18 135,168 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\NewShortcut6_89D94B114C0A44E4A8FAA6F5BD107043.exe
- 2007-10-28 21:30:34 5,222 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\NewShortcut8_89D94B114C0A44E4A8FAA6F5BD107043.exe
+ 2008-08-10 06:59:18 5,222 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\NewShortcut8_89D94B114C0A44E4A8FAA6F5BD107043.exe
- 2007-10-28 21:30:34 40,960 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\PremEnt5_IA_89D94B114C0A44E4A8FAA6F5BD107043.exe
+ 2008-08-10 06:59:18 40,960 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\PremEnt5_IA_89D94B114C0A44E4A8FAA6F5BD107043.exe
- 2007-10-28 21:30:34 45,056 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\PremEntv5ODBC_89D94B114C0A44E4A8FAA6F5BD107043.exe
+ 2008-08-10 06:59:18 45,056 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\PremEntv5ODBC_89D94B114C0A44E4A8FAA6F5BD107043.exe
- 2007-10-28 21:30:34 135,168 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\PremEntv5Optimiser_89D94B114C0A44E4A8FAA6F5BD107043.exe
+ 2008-08-10 06:59:18 135,168 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\PremEntv5Optimiser_89D94B114C0A44E4A8FAA6F5BD107043.exe
- 2007-10-28 21:30:34 65,536 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\PremEntv5Template__89D94B114C0A44E4A8FAA6F5BD107043.exe
+ 2008-08-10 06:59:18 65,536 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\PremEntv5Template__89D94B114C0A44E4A8FAA6F5BD107043.exe
- 2007-10-28 21:30:34 135,168 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\PremEntv5Upgrade_89D94B114C0A44E4A8FAA6F5BD107043.exe
+ 2008-08-10 06:59:18 135,168 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\PremEntv5Upgrade_89D94B114C0A44E4A8FAA6F5BD107043.exe
- 2007-10-28 21:30:34 65,536 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\Shortcut_PremEntv5_89D94B114C0A44E4A8FAA6F5BD107043.exe
+ 2008-08-10 06:59:18 65,536 ----a-r C:\WINDOWS\Installer\{89D94B11-4C0A-44E4-A8FA-A6F5BD107043}\Shortcut_PremEntv5_89D94B114C0A44E4A8FAA6F5BD107043.exe
- 2008-08-09 01:35:42 659,160 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-08-11 18:54:03 676,436 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-08-07 21:54:40 10,094,869 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-08-09 03:58:13 10,090,839 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
- 2008-08-03 06:54:00 2,429,952 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
+ 2008-08-11 21:13:23 2,961,920 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector" [X]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 23:18 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 14:18 202024]
"EVEMon"="C:\Program Files\EVEMon\EVEMon.exe" [2008-03-04 23:44 847872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 09:18 49152]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 01:00 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 13:33 1388544]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 12:39 151552]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 08:51 1836328]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 18:19 57344]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"AdobeVersionCue"="C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 16:24 1732608]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 23:18 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 11:17 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2007-08-06 09:29:44 25214]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-20 01:12:24 110592]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 07:15:28 282624]
Kodak Picture Transfer.lnk - C:\Program Files\Kodak\Kodak Utilities\PTS\Kodak Picture Transfer.exe [2007-03-13 12:02:18 7008256]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"C:\\Program Files\\Kodak\\Kodak Utilities\\PTS\\Kodak Picture Transfer Service.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 pe3agnqb;Cricket 2007 Environment Driver (pe3agnqb);C:\WINDOWS\system32\drivers\pe3agnqb.sys [2007-03-04 02:57]
R0 ps6agnqb;Cricket 2007 Synchronization Driver (ps6agnqb);C:\WINDOWS\system32\drivers\ps6agnqb.sys [2007-03-04 02:57]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-07 01:11]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-20 04:47]
R2 KODAK Picture Transfer Agent;Kodak picture transfer agent;C:\Program Files\Kodak\Kodak Utilities\PTS\Kodak Picture Transfer Service.exe [2007-03-13 12:02]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-20 03:40]
S2 pr2agnqb;Cricket 2007 Drivers Auto Removal (pr2agnqb);C:\WINDOWS\system32\pr2agnqb.exe svc []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 06:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4da9fc67-6961-11dc-8d16-001111a0d17e}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-03 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2004-08-12 23:27]

2008-08-09 C:\WINDOWS\Tasks\EFILive V7.5 Updates.job
- C:\WINDOWS\Installer\EFILive V7.5 Updates for All Users.lnk [2008-07-22 20:31]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Aitkemp\Application Data\Mozilla\Firefox\Profiles\n3t0lhqz.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://mail.google.com/mail/
FF -: plugin - C:\Program Files\Common-Use Signing Interface\bin\npCsiPlugin.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-12 07:17:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-12 7:18:35
ComboFix-quarantined-files.txt 2008-08-11 21:18:30
ComboFix2.txt 2008-08-09 21:22:37
ComboFix3.txt 2008-08-09 02:46:12

Pre-Run: 20,984,242,176 bytes free
Post-Run: 20,932,407,296 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

218 --- E O F --- 2008-07-25 05:14:20

#14 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 11 August 2008 - 05:07 PM

Hi

I was a little concerned when part way through my AV through a detection up


That's why you're supposed to turn off all resident scanners, as some will interfere with the running of Combofix. :thumbsup:

Well the Recovery Console appears to have installed this time, but the boot.ini is still not as I would have expected to see it ... I shall consult with my fellow experts again & if anything else needs to be done I'll let you know.

As windows loads now, you will see a black screen for 2 seconds, giving you the option to boot to the Recovery Console or boot windows normally, do nothing & windows will boot normally, should you have a major problem in the future & windows will not boot normally, then having the option to boot to the Recovery Console may well save you having to reinstall.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#15 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 11 August 2008 - 05:15 PM

.forget this ...

Edited by steamwiz, 11 August 2008 - 05:16 PM.

MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users