Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By Generic7.* And Generic11.*


  • This topic is locked This topic is locked
12 replies to this topic

#1 Q.T.Quazar

Q.T.Quazar

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 10 August 2008 - 12:15 AM

any help is appreciated. here is the DSS/HJT log.

thanks,
Q



edit: sorry, forgot to attach the extra.txt log
edit2: attached now. reading through the dss, you can see that i completely deserved both these virii.
nevertheless, hope you can help. i know the .dlls, but not the removal procedure or if there is another part of the rootkit.



Deckard's System Scanner v20071014.68
Run by Q.T.Quazar on 2008-08-10 13:03:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 4 Restore Point(s) --
4: 2008-08-10 01:02:25 UTC - RP305 - Scheduled Checkpoint
3: 2008-08-08 19:57:52 UTC - RP304 - Scheduled Checkpoint
2: 2008-08-07 16:10:19 UTC - RP303 - Scheduled Checkpoint
1: 2008-08-06 17:09:33 UTC - RP302 - Scheduled Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Q.T.Quazar.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:08 PM, on 8/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\PicoZip\PicoZipTray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Q.T.Quazar\Desktop\dss.exe
C:\Windows\system32\conime.exe
C:\Users\QT4265~1.QUA\Desktop\Q.T.Quazar.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {1A4BA860-573E-4059-8337-6A34AC65C535} - C:\Windows\system32\hggHAtUl.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {64766BE9-083B-489A-8FCF-27ED29434468} - C:\Windows\system32\nnnnOiIC.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {CA33656D-11A4-49AE-94C4-69F67042F387} - (no file)
O3 - Toolbar: (no name) - {FB3486FF-2A37-4536-B847-D999BA4E7776} - (no file)
O3 - Toolbar: (no name) - {8A11BBE3-E0B5-40FB-9D86-E08A52B51B47} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [PicoZip] C:\Program Files\PicoZip\PicoZipTray.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Use ViDown to download - C:\Program Files\ViDown\vd_link.htm
O8 - Extra context menu item: ӵQQ - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.alipay.com
O15 - Trusted Zone: http://*.alisoft.com
O15 - Trusted Zone: http://*.taobao.com
O16 - DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} (AxSubmitControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: wnslvxtf - {74E434E7-EB46-4128-8402-A5E9967BF47B} - (no file)
O21 - SSODL: eqvwamkl - {E3E0D2BA-F5A2-4B59-9A97-30682838BD57} - (no file)
O21 - SSODL: xokvrpwg - {96EBD033-D941-4355-BB5A-43795DB9D524} - (no file)
O21 - SSODL: tfnslopk - {ECF2A38A-0338-4B34-BF97-51090B64D779} - (no file)
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 7233 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 Alidevice - c:\windows\system32\drivers\alidevice.sys <Not Verified; alipay.com; alidevice>

S0 OemBiosDevice (Royalty OEM BIOS Extension) - c:\windows\system32\drivers\royal.sys <Not Verified; PARADOX; SLP Kernel-Mode Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 StarWindServiceAE (StarWind AE Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e965-e325-11ce-bfc1-08002be10318}
Description: CD-ROM Drive
Device ID: SCSI\CDROM&VEN_HL-DT-ST&PROD_DVDRAM_GSA-4120B&REV_A115\5&321C66E6&0&000200
Manufacturer: (Standard CD-ROM drives)
Name: HL-DT-ST DVDRAM GSA-4120B SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_HL-DT-ST&PROD_DVDRAM_GSA-4120B&REV_A115\5&321C66E6&0&000200
Service: cdrom

Class GUID: {4d36e965-e325-11ce-bfc1-08002be10318}
Description: CD-ROM Drive
Device ID: SCSI\CDROM&VEN_CZ5107R&PROD_FTS814H&REV_2.0B\5&2C4F72D4&0&000000
Manufacturer: (Standard CD-ROM drives)
Name: CZ5107R FTS814H SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_CZ5107R&PROD_FTS814H&REV_2.0B\5&2C4F72D4&0&000000
Service: cdrom

Class GUID: {4d36e965-e325-11ce-bfc1-08002be10318}
Description: CD-ROM Drive
Device ID: SCSI\CDROM&VEN_OZMX&PROD_I741INGT2RKX&REV_1.03\5&36E5972&1&000000
Manufacturer: (Standard CD-ROM drives)
Name: OZMX I741INGT2RKX SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_OZMX&PROD_I741INGT2RKX&REV_1.03\5&36E5972&1&000000
Service: cdrom


-- Files created between 2008-07-10 and 2008-08-10 -----------------------------

2008-08-10 12:28:42 99200 --a------ C:\Windows\system32\ovvscmin.dll
2008-08-09 07:55:47 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-08-09 00:32:23 0 d-------- C:\VundoFix Backups
2008-08-05 03:52:34 0 d-------- C:\Program Files\CCleaner
2008-08-05 03:30:37 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-05 02:33:45 99200 -----n--- C:\Windows\system32\mjgjweuu.dll
2008-08-05 02:32:54 78287 --ahs---- C:\Windows\system32\CIiOnnnn.ini2
2008-08-05 02:32:25 323328 --a------ C:\Windows\system32\nnnnOiIC.dll
2008-08-05 02:19:36 380928 --a------ C:\Windows\wnlmdakqoxv.dll
2008-08-05 02:01:05 0 d--h----- C:\$AVG8.VAULT$
2008-08-05 02:00:44 0 d-------- C:\Windows\The Wonderful end Of the world
2008-08-04 13:42:00 0 d-------- C:\Windows\system32\drivers\Avg
2008-08-04 13:41:24 0 d-------- C:\Users\All Users\avg8
2008-08-04 13:41:24 0 d-------- C:\Program Files\AVG
2008-08-03 13:59:06 0 d-------- C:\Windows\Simpsons Jeopardy!
2008-08-01 21:28:01 0 d-------- C:\Program Files\iPod
2008-08-01 21:27:59 0 d-------- C:\Program Files\iTunes
2008-08-01 21:27:22 0 d-------- C:\Program Files\Apple Software Update
2008-07-26 11:24:35 520192 --a------ C:\Windows\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-07-26 09:51:42 0 d-------- C:\Users\All Users\Ubisoft
2008-07-26 06:04:06 0 d-------- C:\Users\All Users\SongbirdVLC
2008-07-26 06:04:00 0 d-------- C:\Program Files\Songbird
2008-07-26 05:51:07 0 d-------- C:\Program Files\QuickTime
2008-07-26 05:21:48 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-07-26 04:34:25 0 d-------- C:\Program Files\Alcohol Soft
2008-07-26 04:06:09 366750 --ahs---- C:\Windows\system32\fhgMoUvw.ini2
2008-07-26 03:57:16 0 d-------- C:\Program Files\USS
2008-07-26 03:57:15 0 --a------ C:\END
2008-07-18 23:55:11 98304 --a------ C:\Windows\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-07-18 23:35:45 717296 --a------ C:\Windows\system32\drivers\sptd.sys
2008-07-18 04:52:51 0 d-------- C:\PerfLogs
2008-07-18 01:49:02 0 d-------- C:\Program Files\MSXML 4.0
2008-07-17 23:11:43 0 d-------- C:\Program Files\Pidgin
2008-07-17 23:11:40 0 d-------- C:\Program Files\Common Files\GTK
2008-07-11 13:37:00 0 d-------- C:\Program Files\Microsoft Silverlight
2008-07-11 13:36:53 0 d-------- C:\Windows\system32\qqedit
2008-07-11 08:28:31 0 d-------- C:\Users\All Users\Storm
2008-07-11 08:28:18 0 d-------- C:\Program Files\StormII
2008-07-11 08:20:28 55808 --a------ C:\Windows\unleap.exe


-- Find3M Report ---------------------------------------------------------------

2008-08-10 12:30:14 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\Azureus
2008-08-09 16:23:33 330284 --a------ C:\Windows\system32\prfh0804.dat
2008-08-09 16:23:33 105280 --a------ C:\Windows\system32\prfc0804.dat
2008-08-09 16:23:33 386342 --a------ C:\Windows\system32\perfh011.dat
2008-08-09 16:23:33 105448 --a------ C:\Windows\system32\perfc011.dat
2008-08-08 23:26:05 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\OpenOffice.org2
2008-08-04 20:18:03 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\.purple
2008-07-30 21:36:40 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\gtk-2.0
2008-07-26 11:24:38 0 d-------- C:\Program Files\Realtek
2008-07-26 11:24:38 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-26 06:19:36 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-07-26 06:04:11 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\Songbird2
2008-07-18 23:35:09 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\DAEMON Tools
2008-07-18 05:02:40 174 --ahs---- C:\Program Files\desktop.ini
2008-07-18 04:56:05 0 d-------- C:\Program Files\Windows Calendar
2008-07-18 04:56:05 0 d-------- C:\Program Files\Movie Maker
2008-07-18 04:56:03 0 d-------- C:\Program Files\Windows Sidebar
2008-07-18 04:56:03 0 d-------- C:\Program Files\Windows Mail
2008-07-18 04:56:01 0 d-------- C:\Program Files\Windows Collaboration
2008-07-18 04:56:00 0 d-------- C:\Program Files\Windows Journal
2008-07-18 04:55:59 0 d-------- C:\Program Files\Windows Photo Gallery
2008-07-18 04:55:53 0 d-------- C:\Program Files\Windows Defender
2008-07-18 01:47:01 0 d-------- C:\Program Files\Java
2008-07-17 23:11:40 0 d-------- C:\Program Files\Common Files
2008-07-13 03:08:38 0 d-------- C:\Program Files\Azureus
2008-07-13 01:06:11 0 d-------- C:\Program Files\China Mobile
2008-07-11 13:52:14 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\QQ
2008-07-11 13:37:06 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\Tencent
2008-07-11 08:28:30 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\Application Data
2008-07-08 21:18:25 0 d-------- C:\Program Files\CyberLink
2008-07-08 21:17:43 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-08 21:16:48 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\Adobe
2008-07-07 03:32:41 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\CyberLink
2008-07-07 03:29:29 1 --a------ C:\Windows\system32\SI.bin
2008-07-07 03:16:37 0 d-------- C:\Program Files\Common Files\InstallShield
2008-07-07 02:53:20 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\Opera
2008-07-07 01:47:02 82432 --a------ C:\Windows\system32\msxml4r.dll <Not Verified; Microsoft Corporation; Microsoft MSXML 4.0 SP1>
2008-07-06 09:37:46 0 d-------- C:\Program Files\rrootage
2008-07-05 20:59:52 286 --a------ C:\Windows\system32\cid_store.dat
2008-07-05 11:12:01 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\Bioshock
2008-07-05 09:45:51 20 --a------ C:\Windows\system32\pub_store.dat
2008-07-05 09:45:36 0 d-------- C:\Program Files\Common Files\Thunder Network
2008-07-05 09:45:33 0 d-------- C:\Program Files\Thunder Network
2008-06-27 12:40:50 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\dvdcss
2008-06-19 14:50:30 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\UFOAI
2008-06-18 21:49:03 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\Mozilla


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A4BA860-573E-4059-8337-6A34AC65C535}]
C:\Windows\system32\hggHAtUl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64766BE9-083B-489A-8FCF-27ED29434468}]
08/05/2008 02:32 AM 323328 --a------ C:\Windows\system32\nnnnOiIC.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA33656D-11A4-49AE-94C4-69F67042F387}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 03:38 PM]
"JMB36X IDE Setup"="C:\Windows\RaidTool\xInsIDE.exe" [03/20/2007 02:36 PM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [09/09/2006 05:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [05/02/2008 12:15 PM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [12/12/2007 09:06 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [12/12/2007 09:06 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [12/12/2007 09:06 AM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"RtHDVCpl"="RtHDVCpl.exe" [07/16/2008 07:01 PM C:\Windows\RtHDVCpl.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/30/2008 10:47 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [08/04/2008 01:41 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 03:33 PM]
"PicoZip"="C:\Program Files\PicoZip\PicoZipTray.exe" [06/09/2006 12:00 AM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [01/19/2008 03:33 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/19/2008 03:33 PM]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [03/21/2008 12:46 AM]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [07/24/2008 11:02 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1A4BA860-573E-4059-8337-6A34AC65C535}"= C:\Windows\system32\hggHAtUl.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\nnnnOiIC

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
rundll32.exe C:\Windows\system32\hggHAtUl.dll,#1

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- wscript.exe u.vbe
explore\Command- wscript.exe u.vbe
find\Command- wscript.exe u.vbe
open\Command- wscript.exe u.vbe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- wscript.exe u.vbe
explore\Command- wscript.exe u.vbe
find\Command- wscript.exe u.vbe
open\Command- wscript.exe u.vbe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{051a41af-d3cc-11dc-9cdf-806e6f6e6963}]
AutoRun\command- wscript.exe u.vbe
explore\Command- wscript.exe u.vbe
find\Command- wscript.exe u.vbe
open\Command- wscript.exe u.vbe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0cab5981-0fc5-11dd-a69e-001a4d5c79b5}]
Auto\command- H:\book.exe
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL H:\book.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27a968e6-1b7a-11dd-b570-001a4d5c79b5}]
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
Open\command- Boot.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3682c7bf-d3c3-11dc-82bc-806e6f6e6963}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60fe608c-d3bc-11dc-8016-001a4d5c79b5}]
explore\Command- .\RECYCLER\auto.exe
open\Command- .\RECYCLER\auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c61aa747-d3bb-11dc-ab88-806e6f6e6963}]
AutoRun\command- D:\Run.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8940 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-10 13:06:16 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows Vista„ Ultimate (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel Core™2 Duo CPU E6750 @ 2.66GHz
Percentage of Memory in Use: 51%
Physical Memory (total/avail): 2045.77 MiB / 983.91 MiB
Pagefile Memory (total/avail): 4344.56 MiB / 3084.77 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1893.11 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 298.09 GiB total, 81.11 GiB free.
D: is Fixed (NTFS) - 149.04 GiB total, 76.9 GiB free.
E: is Fixed (NTFS) - 111.78 GiB total, 39.02 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3120026AS ATA Device - 111.79 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 111.78 GiB - E:

\\.\PHYSICALDRIVE2 - SATA ST316002 SCSI Disk Device - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149.04 GiB - D:

\\.\PHYSICALDRIVE1 - SATA ST332062 SCSI Disk Device - 298.09 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 298.09 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)
AS: AVG Anti-Virus Free v8.0 (AVG Technologies) Disabled
AS: Spybot - Search and Destroy v1.0.0.6 (Safer Networking Ltd.) Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Q.T.Quazar\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=Q13
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Q.T.Quazar
LOCALAPPDATA=C:\Users\Q.T.Quazar\AppData\Local
LOGONSERVER=\\Q13
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\QT4265~1.QUA\AppData\Local\Temp
TMP=C:\Users\QT4265~1.QUA\AppData\Local\Temp
USERDOMAIN=Q13
USERNAME=Q.T.Quazar
USERPROFILE=C:\Users\Q.T.Quazar
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Q.T.Quazar (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\unins000.exe"
--> "C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\unins000.exe"
--> "C:\Program Files\USS\{EC572088-91C7-4293-93F9-93D40B0E0B36}\unins000.exe"
--> "C:\Program Files\USS\unins000.exe"
??????? 2,1,1,1 --> "C:\Windows\system32\aliedit\unins000.exe"
a-squared Anti-Malware 3.5 --> "C:\Program Files\a-squared Anti-Malware\unins000.exe"
Acubix PicoZip 4.02 --> "C:\Program Files\PicoZip\unins000.exe"
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Apple Mobile Device Support --> MsiExec.exe /I{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Audiosurf --> MsiExec.exe /I{6D316D67-DA52-4659-9C98-F479963534D6}
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
Baldur's Gate™ II - Throne of Bhaal ™ --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8C3B479-1716-11D5-968A-0050BA84F5F7}\Setup.exe"
Beyond Divinity V1.0 --> D:\PROGRA~1\LARIAN~1\BEYOND~1\UNWISE.EXE D:\PROGRA~1\LARIAN~1\BEYOND~1\INSTALL.LOG
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Combined Community Codec Pack 2008-01-24 --> "C:\Program Files\Combined Community Codec Pack\unins000.exe"
Cottage Of Doom 1.0 --> "C:\Program Files\Cottage Of Doom\unins000.exe"
dBpoweramp FLAC Codec --> "C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
dBpoweramp m4a Codec --> "C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
dBpoweramp Music Converter --> "C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
Democracy 2 --> "d:\Program Files\Democracy2\unins000.exe"
Depths Of Peril --> "C:\Program Files\Depths Of Peril\ReflexiveArcade\unins000.exe"
Easy Video Joiner 5.21 --> "C:\Program Files\Easy Video Joiner\unins000.exe"
Eschalon Book 1 v1.0 --> "d:\Program Files\Eschalon Book I\unins000.exe"
FastCrawl Version 1.03 --> "C:\Program Files\FastCrawl\unins000.exe"
Foxit Reader --> C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Gigabyte Raid Configurer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\SETUP.EXE" -l0x9 -removeonly
Gothic --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBF10B37-4ED3-11D5-A818-00500435FC18}\Setup.exe"
Gothic_Patch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{302AC480-43D2-11D5-A818-00500435FC18}\Setup.exe" -uninst
GTK+ Runtime 2.12.1 rev b (remove only) --> C:\Program Files\Common Files\GTK\2.0\uninst.exe
Harvest Massive Encounter --> "d:\Program Files\Harvest Massive Encounter\ReflexiveArcade\unins000.exe"
HijackThis 2.0.2 --> "C:\Users\Q.T.Quazar\Desktop\HijackThis.exe" /uninstall
ILLUSION ????3 --> MsiExec.exe /X{E4D02EF2-6F12-4BE9-9928-2F27DA01A915}
֧ȫؼ 1,1,0,3 --> "C:\Windows\system32\aliedit\unins000.exe"
iTunes --> MsiExec.exe /I{3DE0053C-FD9A-483E-B7C9-B06E4392206E}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Kudos 2-in-1 --> "C:\Windows\Kudos 2-in-1\uninstall.exe" "/U:d:\Program Files\Kudos 2-in-1\Uninstall\uninstall.xml"
LeapFTP --> C:\Windows\unleap.exe C:\Program Files\LeapFTP\install.log
Magic Stones --> "d:\Program Files\Magic Stones\ReflexiveArcade\unins000.exe"
Microsoft .NET Framework 3.5 --> C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5 --> MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft .NET Framework 3.5 ??? - ???? --> C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack - chs\setup.exe
Microsoft .NET Framework 3.5 Language Pack - ??? --> C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack - jpn\setup.exe
Microsoft .NET Framework 3.5 Language Pack - chs --> MsiExec.exe /I{43A3B6EF-14BE-372E-A29B-D3A8ADE2FE55}
Microsoft .NET Framework 3.5 Language Pack - jpn --> MsiExec.exe /I{8027B590-CD2B-3C7E-9F00-CDC0916CC915}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.16) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
Oblivion --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x9 -removeonly
Oblivion - Horse Armor Pack --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3ABEBD00-299D-4DCA-967F-B912163AB5EA}\setup.exe" -l0x9 -removeonly
Oblivion - Knights of the Nine --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14C87AA7-08E6-419F-A165-998EBE5023D7}\setup.exe" -l0x9 -removeonly
Oblivion - Mehrunes Razor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF295F5C-7B57-47AA-8889-6B3E8E214E89}\setup.exe" -l0x9 -removeonly
Oblivion - Orrery --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC425CFC-EE78-4A91-AA25-3BFA65B75364}\setup.exe" -l0x9 -removeonly
Oblivion - Spell Tomes --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{16D919E6-F019-4E15-BFBE-4A85EF19DA57}\setup.exe" -l0x9 -removeonly
Oblivion - Thieves Den --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FFFFFD17-B460-41EB-93F1-C48ABAD63828}\setup.exe" -l0x9 -removeonly
Oblivion - Vile Lair --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{520F4B09-3A51-47A2-82B0-9FF1DC2D20FA}\setup.exe" -l0x9 -removeonly
Oblivion - Wizard's Tower --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F2E3D62-8B8C-448F-8900-451325E50948}\setup.exe" -l0x9 -removeonly
Oblivion mod manager 1.1.9 --> "C:\Program Files\Bethesda Softworks\Oblivion\obmm\uninstall\unins000.exe"
OpenOffice.org 2.3 --> MsiExec.exe /I{2F29D6D2-824E-4FEF-8AED-7013F39F642A}
Oxin's Style! 3D Sexvilla 2 --> "d:\Program Files\Oxin's Style!\3D Sexvilla 2\Binaries\unins000.exe"
Pidgin --> C:\Program Files\Pidgin\pidgin-uninst.exe
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
RapeLay (remove only) --> "d:\Program Files\Illusion\RapeLay\uninstall.exe"
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista --> C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\SETUP.EXE -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -removeonly
Runesword 2.5.0 --> d:\Program Files\Runesword\uninst.exe
Sexy Beach 3 - Complete English Edition (remove only) --> "d:\Program Files\Illusion\SexyBeach3-CEE\uninstall.exe"
Sins of a Solar Empire --> "C:\ProgramData\{0E8E33D8-193A-414A-A909-0F101A142D26}\setup.exe" REMOVE=TRUE MODIFY=FALSE
Sins of a Solar Empire --> C:\ProgramData\{0E8E33D8-193A-414A-A909-0F101A142D26}\setup.exe
Songbird 0.6.1 (20080623) --> "C:\Program Files\Songbird\Songbird-Uninstall.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Three thrixx Games v32 --> e:\thriXXX\Uninstall.exe
Tom Clancy's Splinter Cell Chaos Theory --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BABAEBE4-9FFB-4B5D-9453-64FF11517CA2}\setup.exe" -l0x9 -removeonly
Tradewinds Legends --> "C:\Program Files\Tradewinds Legends\ReflexiveArcade\unins000.exe"
UFO:AI 2.2.1 --> d:\Program Files\UFOAI-2.2.1\uninst.exe
Unlocker 1.8.7 --> C:\Program Files\Unlocker\uninst.exe
Unofficial Oblivion Patch v2.2.0 --> "C:\Program Files\Bethesda Softworks\Oblivion\Unofficial Oblivion Patch\unins000.exe"
Unofficial Official Mods Patch v11 --> "C:\Program Files\Bethesda Softworks\Oblivion\Unofficial Official Mods Patch\unins000.exe"
Unofficial Shivering Isles Patch v1.2.0 --> "C:\Program Files\Bethesda Softworks\Oblivion\Unofficial Shivering Isles Patch\unins000.exe"
VideoLAN VLC media player 0.8.5 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Westward --> "C:\Program Files\Westward\ReflexiveArcade\unins000.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type7689 / Warning
Event Submitted/Written: 08/10/2008 00:31:03 PM
Event ID/Source: 3036 / Windows Search Service
Event Description:
The content source <csc://{s-1-5-21-2007570563-3993865115-4261506697-1000}/> cannot be accessed.

Context: Windows Application, SystemIndex Catalog

Details:
The filter process cannot be started. The system is most likely low on resources, or the filter process binary was modified. If the resources are available, check the search binaries with an antivirus program. (0x80040d39)

Event Record #/Type7685 / Warning
Event Submitted/Written: 08/10/2008 00:30:36 PM
Event ID/Source: 4105 / Winlogon
Event Description:
Windows is in Notification period.

Event Record #/Type7680 / Error
Event Submitted/Written: 08/10/2008 00:22:42 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.6001.18000, time stamp 0x47918e5d, faulting module ntdll.dll, version 6.0.6001.18000, time stamp 0x4791a7a6, exception code 0xc0000374, fault offset 0x000b015d,
process id 0xcf8, application start time 0xexplorer.exe0.

Event Record #/Type7670 / Error
Event Submitted/Written: 08/07/2008 01:58:16 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.9.0.3105, time stamp 0x486bac70, faulting module xul.dll, version 1.9.0.3105, time stamp 0x486bacbc, exception code 0xc0000005, fault offset 0x00091645,
process id 0x1020, application start time 0xfirefox.exe0.

Event Record #/Type7665 / Success
Event Submitted/Written: 08/06/2008 01:35:19 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type47900 / Warning
Event Submitted/Written: 08/10/2008 01:04:19 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Q1327 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Q1327 can't undo changes that you allow.

For more information please see the following:
%Q13275

Scan ID: {C21C84FF-1E9D-4F47-B8A0-D2C1372B65E9}

User: Q13\Q.T.Quazar

Name: %Q13271

ID: %Q13272

Severity ID: %Q13273

Category ID: %Q13274

Path Found: %Q13276

Alert Type: %Q13278

Detection Type: 1.1.1600.02

Event Record #/Type47899 / Warning
Event Submitted/Written: 08/10/2008 01:04:19 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Q1327 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Q1327 can't undo changes that you allow.

For more information please see the following:
%Q13275

Scan ID: {0821DB2A-6776-4550-AE18-32F4BDC53A4A}

User: Q13\Q.T.Quazar

Name: %Q13271

ID: %Q13272

Severity ID: %Q13273

Category ID: %Q13274

Path Found: %Q13276

Alert Type: %Q13278

Detection Type: 1.1.1600.02

Event Record #/Type47898 / Warning
Event Submitted/Written: 08/10/2008 01:04:19 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Q1327 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Q1327 can't undo changes that you allow.

For more information please see the following:
%Q13275

Scan ID: {539D3E80-3326-4474-B858-0BB10EED1D86}

User: Q13\Q.T.Quazar

Name: %Q13271

ID: %Q13272

Severity ID: %Q13273

Category ID: %Q13274

Path Found: %Q13276

Alert Type: %Q13278

Detection Type: 1.1.1600.02

Event Record #/Type47897 / Warning
Event Submitted/Written: 08/10/2008 01:04:17 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Q1327 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Q1327 can't undo changes that you allow.

For more information please see the following:
%Q13275

Scan ID: {759525AC-49AE-4A75-A96E-D42983A5A6C1}

User: Q13\Q.T.Quazar

Name: %Q13271

ID: %Q13272

Severity ID: %Q13273

Category ID: %Q13274

Path Found: %Q13276

Alert Type: %Q13278

Detection Type: 1.1.1600.02

Event Record #/Type47896 / Warning
Event Submitted/Written: 08/10/2008 01:04:17 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Q1327 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Q1327 can't undo changes that you allow.

For more information please see the following:
%Q13275

Scan ID: {342D5E93-AAB8-4277-B00C-79B183DA742B}

User: Q13\Q.T.Quazar

Name: %Q13271

ID: %Q13272

Severity ID: %Q13273

Category ID: %Q13274

Path Found: %Q13276

Alert Type: %Q13278

Detection Type: 1.1.1600.02



-- End of Deckard's System Scanner: finished at 2008-08-10 13:06:16 ------------

Edited by Q.T.Quazar, 10 August 2008 - 12:33 AM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:37 AM

Posted 11 August 2008 - 01:44 PM

Hello Q.T.Quazar,

Please download Malwarebytes' Anti-Malware from Here or Here



I notice that you have Spybot's TeaTimer and Windows Defender running.
While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes.
So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts


To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

You can reenable TeaTimer and Windows Defender once your system is clean.


Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh DSS Main.txt log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Q.T.Quazar

Q.T.Quazar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 12 August 2008 - 05:56 PM

wow, i'm impressed. none of the others turned up Vundo-- i even ran vundofix earlier. i'll be keeping this tool.

here are the fresh logs.



Malwarebytes' Anti-Malware 1.24
Database version: 1043
Windows 6.0.6001 Service Pack 1

6:33:40 AM 8/13/2008
mbam-log-8-13-2008 (06-33-39).txt

Scan type: Quick Scan
Objects scanned: 38150
Time elapsed: 3 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 10
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1a4ba860-573e-4059-8337-6a34ac65c535} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\USLst (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\USS (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USS_is1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\USS (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uss_{826f15bf-1a4c-4290-bfd1-794af7a2cb8f}_is1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uss_{d1957ff4-ea22-4b4a-81a1-c62068479ded}_is1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uss_{ec572088-91c7-4293-93f9-93d40b0e0b36}_is1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{1a4ba860-573e-4059-8337-6a34ac65c535} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\xokvrpwg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tfnslopk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\eqvwamkl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\wnslvxtf (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\USS (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\#agents (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\#agents\53 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\#monitors (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\#monitors\DirMonitor (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\#monitors\FileMonitor (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\#monitors\RegMonitor (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\{EC572088-91C7-4293-93F9-93D40B0E0B36} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\ovvscmin.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\nimcsvvo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\USS\unins000.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\unins000.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\#agents\53\#startup (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\GESPlugin.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\GESPlugin.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\unins000.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\unins000.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AMPlugin.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AMPlugin.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AsAgents.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\msvcp71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\msvcr71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\unins000.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\unins000.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\{EC572088-91C7-4293-93F9-93D40B0E0B36}\GSCRPlugin.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\{EC572088-91C7-4293-93F9-93D40B0E0B36}\unins000.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\USS\{EC572088-91C7-4293-93F9-93D40B0E0B36}\unins000.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\END (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Deckard's System Scanner v20071014.68
Run by Q.T.Quazar on 2008-08-13 06:34:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Q.T.Quazar.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:35:08 AM, on 8/13/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\PicoZip\PicoZipTray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Windows\system32\conime.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Q.T.Quazar\Desktop\dss.exe
C:\Users\QT4265~1.QUA\Desktop\QTQUAZ~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {64766BE9-083B-489A-8FCF-27ED29434468} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {CA33656D-11A4-49AE-94C4-69F67042F387} - (no file)
O3 - Toolbar: (no name) - {FB3486FF-2A37-4536-B847-D999BA4E7776} - (no file)
O3 - Toolbar: (no name) - {8A11BBE3-E0B5-40FB-9D86-E08A52B51B47} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [PicoZip] C:\Program Files\PicoZip\PicoZipTray.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Use ViDown to download - C:\Program Files\ViDown\vd_link.htm
O8 - Extra context menu item: ӵQQ - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.alipay.com
O15 - Trusted Zone: http://*.alisoft.com
O15 - Trusted Zone: http://*.taobao.com
O16 - DPF: {8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 6993 bytes

-- Files created between 2008-07-13 and 2008-08-13 -----------------------------

2008-08-12 18:14:43 0 d-------- C:\Users\All Users\Malwarebytes
2008-08-12 18:14:43 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 07:55:47 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-08-09 00:32:23 0 d-------- C:\VundoFix Backups
2008-08-05 03:52:34 0 d-------- C:\Program Files\CCleaner
2008-08-05 03:30:37 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-05 02:32:54 78241 --ahs---- C:\Windows\system32\CIiOnnnn.ini2
2008-08-05 02:01:05 0 d--h----- C:\$AVG8.VAULT$
2008-08-05 02:00:44 0 d-------- C:\Windows\The Wonderful end Of the world
2008-08-04 13:42:00 0 d-------- C:\Windows\system32\drivers\Avg
2008-08-04 13:41:24 0 d-------- C:\Users\All Users\avg8
2008-08-04 13:41:24 0 d-------- C:\Program Files\AVG
2008-08-03 13:59:06 0 d-------- C:\Windows\Simpsons Jeopardy!
2008-08-01 21:28:01 0 d-------- C:\Program Files\iPod
2008-08-01 21:27:59 0 d-------- C:\Program Files\iTunes
2008-08-01 21:27:22 0 d-------- C:\Program Files\Apple Software Update
2008-07-26 11:24:35 520192 --a------ C:\Windows\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-07-26 09:51:42 0 d-------- C:\Users\All Users\Ubisoft
2008-07-26 06:04:06 0 d-------- C:\Users\All Users\SongbirdVLC
2008-07-26 06:04:00 0 d-------- C:\Program Files\Songbird
2008-07-26 05:51:07 0 d-------- C:\Program Files\QuickTime
2008-07-26 05:21:48 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-07-26 04:34:25 0 d-------- C:\Program Files\Alcohol Soft
2008-07-26 04:06:09 366750 --ahs---- C:\Windows\system32\fhgMoUvw.ini2
2008-07-18 23:55:11 98304 --a------ C:\Windows\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-07-18 23:35:45 717296 --a------ C:\Windows\system32\drivers\sptd.sys
2008-07-18 04:52:51 0 d-------- C:\PerfLogs
2008-07-18 01:49:02 0 d-------- C:\Program Files\MSXML 4.0
2008-07-17 23:11:43 0 d-------- C:\Program Files\Pidgin
2008-07-17 23:11:40 0 d-------- C:\Program Files\Common Files\GTK


-- Find3M Report ---------------------------------------------------------------

2008-08-12 18:14:45 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\Malwarebytes
2008-08-12 18:10:06 330284 --a------ C:\Windows\system32\prfh0804.dat
2008-08-12 18:10:06 105280 --a------ C:\Windows\system32\prfc0804.dat
2008-08-12 18:10:06 386342 --a------ C:\Windows\system32\perfh011.dat
2008-08-12 18:10:06 105448 --a------ C:\Windows\system32\perfc011.dat
2008-08-12 07:36:13 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\OpenOffice.org2
2008-08-10 12:30:14 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\Azureus
2008-08-04 20:18:03 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\.purple
2008-07-30 21:36:40 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\gtk-2.0
2008-07-26 11:24:38 0 d-------- C:\Program Files\Realtek
2008-07-26 11:24:38 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-26 06:19:36 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-07-26 06:04:11 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\Songbird2
2008-07-18 23:35:09 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\DAEMON Tools
2008-07-18 05:02:40 174 --ahs---- C:\Program Files\desktop.ini
2008-07-18 04:56:05 0 d-------- C:\Program Files\Windows Calendar
2008-07-18 04:56:05 0 d-------- C:\Program Files\Movie Maker
2008-07-18 04:56:03 0 d-------- C:\Program Files\Windows Sidebar
2008-07-18 04:56:03 0 d-------- C:\Program Files\Windows Mail
2008-07-18 04:56:01 0 d-------- C:\Program Files\Windows Collaboration
2008-07-18 04:56:00 0 d-------- C:\Program Files\Windows Journal
2008-07-18 04:55:59 0 d-------- C:\Program Files\Windows Photo Gallery
2008-07-18 04:55:53 0 d-------- C:\Program Files\Windows Defender
2008-07-18 01:47:01 0 d-------- C:\Program Files\Java
2008-07-17 23:11:40 0 d-------- C:\Program Files\Common Files
2008-07-13 10:46:29 0 d-------- C:\Program Files\StormII
2008-07-13 03:08:38 0 d-------- C:\Program Files\Azureus
2008-07-13 01:06:11 0 d-------- C:\Program Files\China Mobile
2008-07-11 13:52:14 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\QQ
2008-07-11 13:37:06 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\Tencent
2008-07-11 13:37:00 0 d-------- C:\Program Files\Microsoft Silverlight
2008-07-11 08:28:30 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\Application Data
2008-07-08 21:18:25 0 d-------- C:\Program Files\CyberLink
2008-07-08 21:17:43 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-08 21:16:48 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\Adobe
2008-07-07 03:32:41 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\CyberLink
2008-07-07 03:29:29 1 --a------ C:\Windows\system32\SI.bin
2008-07-07 03:16:37 0 d-------- C:\Program Files\Common Files\InstallShield
2008-07-07 02:53:20 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\Opera
2008-07-07 01:47:02 82432 --a------ C:\Windows\system32\msxml4r.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2008-07-06 09:37:46 0 d-------- C:\Program Files\rrootage
2008-07-05 20:59:52 286 --a------ C:\Windows\system32\cid_store.dat
2008-07-05 11:12:01 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\Bioshock
2008-07-05 09:45:51 20 --a------ C:\Windows\system32\pub_store.dat
2008-07-05 09:45:36 0 d-------- C:\Program Files\Common Files\Thunder Network
2008-07-05 09:45:33 0 d-------- C:\Program Files\Thunder Network
2008-06-27 12:40:50 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\dvdcss
2008-06-19 14:50:30 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\UFOAI
2008-06-18 21:49:03 0 d-------- C:\Users\Q.T.Quazar\AppData\Roaming\Mozilla


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64766BE9-083B-489A-8FCF-27ED29434468}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA33656D-11A4-49AE-94C4-69F67042F387}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 03:38 PM]
"JMB36X IDE Setup"="C:\Windows\RaidTool\xInsIDE.exe" [03/20/2007 02:36 PM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [09/09/2006 05:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [05/02/2008 12:15 PM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [12/12/2007 09:06 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [12/12/2007 09:06 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [12/12/2007 09:06 AM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"RtHDVCpl"="RtHDVCpl.exe" [07/16/2008 07:01 PM C:\Windows\RtHDVCpl.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/30/2008 10:47 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [08/04/2008 01:41 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 03:33 PM]
"PicoZip"="C:\Program Files\PicoZip\PicoZipTray.exe" [06/09/2006 12:00 AM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [01/19/2008 03:33 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/19/2008 03:33 PM]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [03/21/2008 12:46 AM]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [07/24/2008 11:02 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\nnnnOiIC

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- wscript.exe u.vbe
explore\Command- wscript.exe u.vbe
find\Command- wscript.exe u.vbe
open\Command- wscript.exe u.vbe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- wscript.exe u.vbe
explore\Command- wscript.exe u.vbe
find\Command- wscript.exe u.vbe
open\Command- wscript.exe u.vbe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{051a41af-d3cc-11dc-9cdf-806e6f6e6963}]
AutoRun\command- wscript.exe u.vbe
explore\Command- wscript.exe u.vbe
find\Command- wscript.exe u.vbe
open\Command- wscript.exe u.vbe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0cab5981-0fc5-11dd-a69e-001a4d5c79b5}]
Auto\command- H:\book.exe
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL H:\book.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27a968e6-1b7a-11dd-b570-001a4d5c79b5}]
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
Open\command- Boot.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3682c7bf-d3c3-11dc-82bc-806e6f6e6963}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60fe608c-d3bc-11dc-8016-001a4d5c79b5}]
explore\Command- .\RECYCLER\auto.exe
open\Command- .\RECYCLER\auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c61aa747-d3bb-11dc-ab88-806e6f6e6963}]
AutoRun\command- D:\Run.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-08-13 06:37:19 ------------

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:37 AM

Posted 12 August 2008 - 06:33 PM

Hi Q.T.Quazar,

It is a great tool, but unfortunatly it does remove all the infection.

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck

      File - Additional Folder Scans

  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post and you can send me the file

You can upload the new scan log to me here. Let me know when you send it.

Edited by SifuMike, 12 August 2008 - 06:34 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Q.T.Quazar

Q.T.Quazar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 13 August 2008 - 06:11 AM

atf cleaner completed.

delaying OTSCANIT.exe AVG8 has flagged this file as containing trojan generic11.ow [edit: i should note this occurs immediately upon Firefox completing the download, not upon me trying to open/access the file]

i'm certainly hoping that's an FP, or else it would be the most creative way i've ever gotten a virus, but as i can't find anything at avg or on the web in general confirming this, i will delay until you can confirm.


back in the early 2000s, i was really impressed with AVG vis-a-vis the competition (both indie and bloatware). nowadays i'm not so sure anymore. a lot of false positives mixed in with the real threats.


cheers.

Edited by Q.T.Quazar, 13 August 2008 - 06:13 AM.


#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:37 AM

Posted 13 August 2008 - 12:27 PM

delaying OTSCANIT.exe AVG8 has flagged this file as containing trojan generic11.ow [edit: i should note this occurs immediately upon Firefox completing the download, not upon me trying to open/access the file]



Both AVG and Avast both think OTscanIt.exe is malware. It is a false Postive by them.
You need to disable AVG and then run OTSCANIT.EXE.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I will let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

Edited by SifuMike, 13 August 2008 - 12:28 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Q.T.Quazar

Q.T.Quazar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 17 August 2008 - 10:11 PM

sorry for the delay... was getting some kind of weird refusal from the server when trying to download otscanit.exe

succeeded today and ran it. log is too long, sending to the address provided.

cheers.

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:37 AM

Posted 17 August 2008 - 10:20 PM

was getting some kind of weird refusal from the server when trying to download otscanit.exe


Many antivirus programs give a false positive when they see OTSCANIT.EXE. You just need to disable your antivirus when downloading it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:37 AM

Posted 17 August 2008 - 10:55 PM

Hi Q.T.Quazar,


Step #1

I notice that you have Spybot's TeaTimer running.
While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes.
So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.



Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%systemroot%\system32\ciionnnn.ini
%systemroot%\system32\ciionnnn.ini2
%systemroot%\system32\dcqfdglp.ini
%systemroot%\system32\fhgmouvw.ini
%systemroot%\system32\fhgmouvw.ini2
%systemroot%\system32\sjxjqyif.ini
%systemroot%\system32\uuabmpym.ini
%systemroot%\system32\uuewjgjm.ini
Folders to delete:
%systemdrive%\vundofix backups

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Script Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> {040BA7F9-CDC9-4F2A-BAFD-5B13501B2DAD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. []
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {64766BE9-083B-489A-8FCF-27ED29434468} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {CA33656D-11A4-49AE-94C4-69F67042F387} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> {8A11BBE3-E0B5-40FB-9D86-E08A52B51B47} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {FB3486FF-2A37-4536-B847-D999BA4E7776} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\Windows\system32\nnnnOiIC -> 
< BotCheck > -> 
[Files/Folders - Created Within 30 days]
NY -> CIiOnnnn.ini -> %SystemRoot%\System32\CIiOnnnn.ini
NY -> CIiOnnnn.ini2 -> %SystemRoot%\System32\CIiOnnnn.ini2
NY -> dcqfdglp.ini -> %SystemRoot%\System32\dcqfdglp.ini
NY -> fhgMoUvw.ini -> %SystemRoot%\System32\fhgMoUvw.ini
NY -> fhgMoUvw.ini2 -> %SystemRoot%\System32\fhgMoUvw.ini2
NY -> sjxjqyif.ini -> %SystemRoot%\System32\sjxjqyif.ini
NY -> uuabmpym.ini -> %SystemRoot%\System32\uuabmpym.ini
NY -> uuewjgjm.ini -> %SystemRoot%\System32\uuewjgjm.ini
[Files/Folders - Modified Within 30 days]
NY -> VundoFix Backups -> %SystemDrive%\VundoFix Backups
NY -> CIiOnnnn.ini -> %SystemRoot%\System32\CIiOnnnn.ini
NY -> CIiOnnnn.ini2 -> %SystemRoot%\System32\CIiOnnnn.ini2
NY -> dcqfdglp.ini -> %SystemRoot%\System32\dcqfdglp.ini
NY -> fhgMoUvw.ini -> %SystemRoot%\System32\fhgMoUvw.ini
NY -> fhgMoUvw.ini2 -> %SystemRoot%\System32\fhgMoUvw.ini2
NY -> sjxjqyif.ini -> %SystemRoot%\System32\sjxjqyif.ini
NY -> uuabmpym.ini -> %SystemRoot%\System32\uuabmpym.ini
NY -> uuewjgjm.ini -> %SystemRoot%\System32\uuewjgjm.ini
[Empty Temp Folders]
[Start Explorer]
[Reboot]


The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Step #4

Run a new OTScanIt scan with the following options


Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Under Additional Scans click the checkboxes in front of the following items to select them:


    • File - Additional Folder Scans

  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Step #5

Post the following back here:
1. The Avenger report (c:\Avenger.txt). This will be a small file so you can post it.

2. The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. ) This will be a small file so you can post it.

3. The new OTScanIt scan log
If the file is too big to post, then you can upload it to me here. Let me know when you post it.
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Q.T.Quazar

Q.T.Quazar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 18 August 2008 - 07:33 AM

Avenger.txt logfile:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Windows\system32\ciionnnn.ini" deleted successfully.
File "C:\Windows\system32\ciionnnn.ini2" deleted successfully.
File "C:\Windows\system32\dcqfdglp.ini" deleted successfully.
File "C:\Windows\system32\fhgmouvw.ini" deleted successfully.
File "C:\Windows\system32\fhgmouvw.ini2" deleted successfully.
File "C:\Windows\system32\sjxjqyif.ini" deleted successfully.
File "C:\Windows\system32\uuabmpym.ini" deleted successfully.
File "C:\Windows\system32\uuewjgjm.ini" deleted successfully.
Folder "C:\vundofix backups" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



otscanit fixlog:

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{040BA7F9-CDC9-4F2A-BAFD-5B13501B2DAD} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{040BA7F9-CDC9-4F2A-BAFD-5B13501B2DAD}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64766BE9-083B-489A-8FCF-27ED29434468}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64766BE9-083B-489A-8FCF-27ED29434468}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA33656D-11A4-49AE-94C4-69F67042F387}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA33656D-11A4-49AE-94C4-69F67042F387}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{8A11BBE3-E0B5-40FB-9D86-E08A52B51B47} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A11BBE3-E0B5-40FB-9D86-E08A52B51B47}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{FB3486FF-2A37-4536-B847-D999BA4E7776} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB3486FF-2A37-4536-B847-D999BA4E7776}\ not found.
[Registry - Additional Scans - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\Windows\system32\nnnnOiIC deleted successfully.
File not found.
[Files/Folders - Created Within 30 days]
File C:\Windows\System32\CIiOnnnn.ini not found!
File C:\Windows\System32\CIiOnnnn.ini2 not found!
File C:\Windows\System32\dcqfdglp.ini not found!
File C:\Windows\System32\fhgMoUvw.ini not found!
File C:\Windows\System32\fhgMoUvw.ini2 not found!
File C:\Windows\System32\sjxjqyif.ini not found!
File C:\Windows\System32\uuabmpym.ini not found!
File C:\Windows\System32\uuewjgjm.ini not found!
[Files/Folders - Modified Within 30 days]
File C:\VundoFix Backups not found!
File C:\Windows\System32\CIiOnnnn.ini not found!
File C:\Windows\System32\CIiOnnnn.ini2 not found!
File C:\Windows\System32\dcqfdglp.ini not found!
File C:\Windows\System32\fhgMoUvw.ini not found!
File C:\Windows\System32\fhgMoUvw.ini2 not found!
File C:\Windows\System32\sjxjqyif.ini not found!
File C:\Windows\System32\uuabmpym.ini not found!
File C:\Windows\System32\uuewjgjm.ini not found!
[Empty Temp Folders]
File delete failed. C:\Users\Q.T.Quazar\AppData\Local\Temp\etilqs_DrVRgHNSNz7qJfJpaqEh scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Users\Q.T.Quazar\AppData\Local\Mozilla\Firefox\Profiles\wzf71cxz.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Q.T.Quazar\AppData\Local\Mozilla\Firefox\Profiles\wzf71cxz.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Q.T.Quazar\AppData\Local\Mozilla\Firefox\Profiles\wzf71cxz.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Q.T.Quazar\AppData\Local\Mozilla\Firefox\Profiles\wzf71cxz.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Q.T.Quazar\AppData\Local\Mozilla\Firefox\Profiles\wzf71cxz.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Users\Q.T.Quazar\AppData\Local\Mozilla\Firefox\Profiles\wzf71cxz.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.2 fix logfile created on 08182008_184437

Files moved on Reboot...
File C:\Users\Q.T.Quazar\AppData\Local\Temp\etilqs_DrVRgHNSNz7qJfJpaqEh not found!
C:\Users\Q.T.Quazar\AppData\Local\Mozilla\Firefox\Profiles\wzf71cxz.default\Cache\_CACHE_001_ moved successfully.
C:\Users\Q.T.Quazar\AppData\Local\Mozilla\Firefox\Profiles\wzf71cxz.default\Cache\_CACHE_002_ moved successfully.
C:\Users\Q.T.Quazar\AppData\Local\Mozilla\Firefox\Profiles\wzf71cxz.default\Cache\_CACHE_003_ moved successfully.
C:\Users\Q.T.Quazar\AppData\Local\Mozilla\Firefox\Profiles\wzf71cxz.default\Cache\_CACHE_MAP_ moved successfully.
C:\Users\Q.T.Quazar\AppData\Local\Mozilla\Firefox\Profiles\wzf71cxz.default\urlclassifier3.sqlite moved successfully.
C:\Users\Q.T.Quazar\AppData\Local\Mozilla\Firefox\Profiles\wzf71cxz.default\XUL.mfl moved successfully.


the following is from F-SECURE's report:

Scanning Report
Monday, August 18, 2008 19:11:42 - 20:23:11

Computer name: Q13
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ E:\
Result: 3 malware found
Tracking Cookie (spyware)

* System

VBS/Uisgon.A (virus)

* E:\U.VBE (Submitted)

Virus.BAT.Agent.y (virus)

* E:\AUTORUN.INF (Submitted)

Statistics
Scanned:

* Files: 50502
* System: 5489
* Not scanned: 21

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 3
* Submitted: 2

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
* C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
* C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
* C:\USERS\Q.T.QUAZAR\APPDATA\LOCAL\TEMP\ETILQS_14AFMLEZAHNE15KP4YXS
* C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\CB17847E4495B642EBD95874875722D4_31C3E644-C655-4250-886B-9347CDDCB888
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\CB17847E4495B642EBD95874875722D4_31C3E644-C655-4250-886B-9347CDDCB888
* C:\BOOT\BCD

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-08-18
* F-Secure AVP: 7.0.171, 2008-08-17
* F-Secure Pegasus: 1.20.0, 2008-04-15

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics



final log has also been sent as requested, too large.


in reference to your previous post, teatimer.exe was already disabled.


cheers.

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:37 AM

Posted 18 August 2008 - 10:11 AM

Hi Q.T.Quazar,

That log looks fine. :thumbsup:

If there aren't any other issues then go ahead and run the system normally for a day and then get back with me and let me know if there are any continuing issues.

If everything is Ok at that time, then we have some final cleanup to do and you'll be good to go.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Q.T.Quazar

Q.T.Quazar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 19 August 2008 - 07:27 AM

great, thanks. i'll post back in 24.

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:37 AM

Posted 27 August 2008 - 11:50 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users