Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack Or Something?


  • Please log in to reply
20 replies to this topic

#1 uncle leo

uncle leo

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 20 August 2008 - 08:13 PM

Hello

I think (at the least) my browser has been hijacked. Some sites I can access but others I can't. I've tried to update my anti virus (Symantec) malware applications (Spybot, Super Anti Spyware) to attempt to rermove any possible problems, but I get various messages indicating that I'm not connected the internet (I am) or that there are issues with the firewall (to my knowledge there isn't). In any case, I've run HJT and here's the log. Hopefully, someone out there can provide me some guidance.

Thanks in advance.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:50 PM, on 8/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {9E340569-3B9F-47FA-B376-472A7930D1D3} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [a05cecbf] rundll32.exe "C:\WINDOWS\system32\nuthdsxx.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /M "Stylus Photo R320" /EF "HKCU"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Send to 'Perfect PDF Creator Essentials' - {722FE9B2-6895-42D9-9984-F4CB26616023} - C:\Program Files\Cosmi\Perfect PDF Creator Essentials\pdfshell.dll
O9 - Extra 'Tools' menuitem: Send to 'Perfect PDF Creator Essentials' - {722FE9B2-6895-42D9-9984-F4CB26616023} - C:\Program Files\Cosmi\Perfect PDF Creator Essentials\pdfshell.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\JACOB\Start Menu\Programs\Accessories\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - AppInit_DLLs: sjokxu.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: geBQIXND - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: soft Xpansion Print2Document (WPEServ) - soft Xpansion - C:\Program Files\Common Files\WPE\wpeserv.exe

--
End of file - 10060 bytes

BC AdBot (Login to Remove)

 


m

#2 uncle leo

uncle leo
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 25 August 2008 - 07:36 PM

Hi again,

I would like to thank those who have taken the time to look at my original post. I hate to sound impatient but if there is anyone who might be able to help me, I would very much appreciate it. Life with a buggy computer is a drag!

Thanks again

#3 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:08:41 AM

Posted 03 September 2008 - 10:31 AM

Hello and Welcome to the forums!

My name is Mas_pogi/Mark and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

#4 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:08:41 AM

Posted 04 September 2008 - 07:03 PM

hi Uncle Leo,

I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.

BTW I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

If you still need help. Please follow the instructions below:
  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7...allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Click on the link to download Windows Offline Installation and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
    • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<
  • Open HijackThis, click Config, click Misc Tools
    Click "Open Uninstall Manager"
    Click "Save List" (generates uninstall_list.txt)
    Click Save, copy and paste the results in your next post.
    More information with a screenshot, can be found here.
In your reply please post the RSIT's log.txt and info.txt and Uninstall_list.txt. Copy and paste it in your reply. Do not attach it.




Mark


EDIT...REVISED

Edited by mas_pogi, 04 September 2008 - 07:38 PM.


#5 uncle leo

uncle leo
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 04 September 2008 - 09:23 PM

Hey Mark,

Thanks for responding. I've been helped by the site before and I glad I can rely on the generosity of those smarter than myself. This will be a learning experience for the both of us I guess.

Just to let you know what's happening with IE, when I click on a link on a search results page, I get redirected; often to another results page. Sometimes I can type the URL of the page I want into the bar at the top of the browser and I will get to the page I want but other times not. In fact, I need to use another computer to communicate with you because the infected one is too unreliable (eg I can't properly navigate to the page I need to download something)

Anyway, I managed to update Java, although the steps I took were not exactly as you described (the installation ran right away; it did not save the program to my computer). The site validated my updated version and I got rid of the older one. I managed to download RIST and copy it to the problem computer where I ran it.

Here are the logs you requested. Hope to hear from you soon.

Thanks,

'Leo'

************

Logfile of random's system information tool (written by random/random)
Run by Benson at 2008-09-04 21:54:04
Microsoft Windows XP Professional Service Pack 3
System drive C: has 10 GB (25%) free of 38 GB
Total RAM: 759 MB (44% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:11 PM, on 9/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Documents and Settings\Benson\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Benson.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {9E340569-3B9F-47FA-B376-472A7930D1D3} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [a05cecbf] rundll32.exe "C:\WINDOWS\system32\nuthdsxx.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /M "Stylus Photo R320" /EF "HKCU"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - AppInit_DLLs: sjokxu.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: geBQIXND - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: soft Xpansion Print2Document (WPEServ) - soft Xpansion - C:\Program Files\Common Files\WPE\wpeserv.exe

--
End of file - 7642 bytes

Scheduled tasks folder

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1125426741.job

Registry dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-08-14 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9E340569-3B9F-47FA-B376-472A7930D1D3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
MSNToolBandBHO - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll [2006-01-17 282624]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2005-10-19 155648]
"EPSON Stylus Photo R320 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE [2004-04-26 98304]
"vptray"=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe [2003-05-21 90112]
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe [2005-10-19 126976]
"a05cecbf"=C:\WINDOWS\system32\nuthdsxx.dll [2008-08-19 99456]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"EPSON Stylus Photo R320 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE [2004-04-26 98304]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-08-18 1832272]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-09-04 1576176]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe [2006-09-14 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe [2004-05-05 262210]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-02-19 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-02-01 385024]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpohmr08.exe [2002-12-02 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe [2002-12-02 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~2\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="sjokxu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2008-09-04 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\geBQIXND]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-10-19 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2003-05-21 45056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-07-06 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\opnnkkkl

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"RunStartupScriptSync"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"RunStartupScriptSync"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Benson\Desktop\Sean's Things\LimeWire\LimeWire.exe"="C:\Documents and Settings\Benson\Desktop\Sean's Things\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Lionhead Studios Ltd\Black & White\runblack.exe"="C:\Program Files\Lionhead Studios Ltd\Black & White\runblack.exe:*:Disabled:lh"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe"="C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe:*:Enabled:Ad-Aware"
"C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE"="C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE:*:Enabled:SUPERAntiSpyware Free Edition"
"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe:*:Enabled:Spybot - Search & Destroy"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3a0c9c5-9212-11dc-9398-000d565d4e3e}]
shell\AutoRun\command - G:\LCMonitor.exe


File associations

.js - open - C:\Corel\Suite8\Programs\CCWin\Cscape.exe

List of files/folders created in the last three months

2008-09-04 21:54:04 ----D---- C:\rsit
2008-09-04 21:45:39 ----A---- C:\WINDOWS\system32\javaws.exe
2008-09-04 21:45:39 ----A---- C:\WINDOWS\system32\javaw.exe
2008-09-04 21:45:39 ----A---- C:\WINDOWS\system32\java.exe
2008-09-04 19:57:43 ----A---- C:\WINDOWS\system32\mcrh.tmp
2008-09-03 18:15:55 ----A---- C:\WINDOWS\system32\windows_update.exe
2008-09-01 03:01:11 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-08-30 17:30:34 ----D---- C:\WINDOWS\Prefetch
2008-08-30 16:56:40 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-08-30 16:56:30 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-08-30 16:56:19 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-08-30 16:56:08 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-08-30 16:55:58 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-08-30 16:55:48 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2008-08-30 16:55:36 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-08-30 16:55:26 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-08-30 16:55:16 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-08-30 16:55:03 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-08-30 16:49:45 ----A---- C:\WINDOWS\setuplog.txt
2008-08-30 16:48:26 ----D---- C:\WINDOWS\system32\scripting
2008-08-30 16:48:23 ----D---- C:\WINDOWS\system32\en
2008-08-30 16:48:23 ----D---- C:\WINDOWS\l2schemas
2008-08-30 15:05:21 ----N---- C:\WINDOWS\system32\wmphoto.dll
2008-08-30 15:05:18 ----N---- C:\WINDOWS\system32\wlanapi.dll
2008-08-30 15:05:13 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2008-08-30 15:05:13 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2008-08-30 15:04:58 ----N---- C:\WINDOWS\system32\tspkg.dll
2008-08-30 15:04:57 ----N---- C:\WINDOWS\system32\tsgqec.dll
2008-08-30 15:04:44 ----N---- C:\WINDOWS\system32\setupn.exe
2008-08-30 15:04:41 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2008-08-30 15:04:40 ----N---- C:\WINDOWS\system32\rasqec.dll
2008-08-30 15:04:38 ----N---- C:\WINDOWS\system32\qutil.dll
2008-08-30 15:04:38 ----N---- C:\WINDOWS\system32\qcliprov.dll
2008-08-30 15:04:38 ----N---- C:\WINDOWS\system32\qagentrt.dll
2008-08-30 15:04:38 ----N---- C:\WINDOWS\system32\qagent.dll
2008-08-30 15:04:36 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2008-08-30 15:04:34 ----N---- C:\WINDOWS\system32\onex.dll
2008-08-30 15:04:20 ----N---- C:\WINDOWS\system32\napstat.exe
2008-08-30 15:04:20 ----N---- C:\WINDOWS\system32\napmontr.dll
2008-08-30 15:04:20 ----N---- C:\WINDOWS\system32\napipsec.dll
2008-08-30 15:04:19 ----N---- C:\WINDOWS\system32\msxml6r.dll
2008-08-30 15:04:19 ----N---- C:\WINDOWS\system32\msxml6.dll
2008-08-30 15:04:17 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2008-08-30 15:04:17 ----N---- C:\WINDOWS\system32\mssha.dll
2008-08-30 15:04:01 ----N---- C:\WINDOWS\system32\mmcperf.exe
2008-08-30 15:04:00 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2008-08-30 15:04:00 ----N---- C:\WINDOWS\system32\mmcex.dll
2008-08-30 15:04:00 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-08-30 15:03:48 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2008-08-30 15:03:48 ----N---- C:\WINDOWS\system32\kmsvc.dll
2008-08-30 15:03:47 ----N---- C:\WINDOWS\system32\kbdpash.dll
2008-08-30 15:03:47 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2008-08-30 15:03:47 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2008-08-30 15:03:47 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2008-08-30 15:03:35 ----N---- C:\WINDOWS\system32\smtpapi.dll
2008-08-30 15:03:34 ----N---- C:\WINDOWS\system32\rwnh.dll
2008-08-30 15:03:21 ----A---- C:\WINDOWS\006002_.tmp
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eapsvc.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eapqec.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eappprxy.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eapphost.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eappgnui.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eappcfg.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eapolqec.dll
2008-08-30 15:03:16 ----N---- C:\WINDOWS\system32\dot3ui.dll
2008-08-30 15:03:16 ----N---- C:\WINDOWS\system32\dot3svc.dll
2008-08-30 15:03:16 ----N---- C:\WINDOWS\system32\dot3msm.dll
2008-08-30 15:03:16 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2008-08-30 15:03:16 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2008-08-30 15:03:15 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2008-08-30 15:03:15 ----N---- C:\WINDOWS\system32\dot3api.dll
2008-08-30 15:03:15 ----N---- C:\WINDOWS\system32\dimsroam.dll
2008-08-30 15:03:15 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2008-08-30 15:03:14 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2008-08-30 15:03:11 ----N---- C:\WINDOWS\system32\credssp.dll
2008-08-30 15:03:07 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2008-08-30 15:03:06 ----N---- C:\WINDOWS\system32\azroles.dll
2008-08-30 15:02:58 ----N---- C:\WINDOWS\system32\aaclient.dll
2008-08-23 09:37:07 ----A---- C:\WINDOWS\cookies.ini
2008-08-20 20:20:02 ----D---- C:\WINDOWS\system32\LogFiles
2008-08-20 12:26:05 ----HDC---- C:\WINDOWS\$NtUninstallKB952954_0$
2008-08-20 12:25:57 ----HDC---- C:\WINDOWS\$NtUninstallKB946648_0$
2008-08-20 12:25:48 ----HDC---- C:\WINDOWS\$NtUninstallKB953839$
2008-08-20 12:24:26 ----HDC---- C:\WINDOWS\$NtUninstallKB950974_0$
2008-08-20 12:21:44 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-08-20 12:20:55 ----HDC---- C:\WINDOWS\$NtUninstallKB952287_0$
2008-08-20 12:19:42 ----HDC---- C:\WINDOWS\$NtUninstallKB951066_0$
2008-08-19 16:05:14 ----SH---- C:\WINDOWS\system32\xxsdhtun.ini
2008-08-19 16:05:03 ----A---- C:\WINDOWS\system32\nuthdsxx.dll
2008-08-19 16:02:52 ----A---- C:\WINDOWS\system32\sjokxu.dll
2008-08-19 16:02:51 ----A---- C:\WINDOWS\system32\gwpuslxt.dll
2008-08-04 05:05:38 ----A---- C:\WINDOWS\system32\ab7f28c1-.txt
2008-08-04 05:04:44 ----ASH---- C:\WINDOWS\system32\lkkknnpo.ini2
2008-08-04 05:04:44 ----ASH---- C:\WINDOWS\system32\lkkknnpo.ini
2008-07-09 03:01:58 ----HDC---- C:\WINDOWS\$NtUninstallKB951748_0$
2008-06-20 03:01:55 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2_0$
2008-06-10 22:16:32 ----HDC---- C:\WINDOWS\$NtUninstallKB951698_0$
2008-06-10 22:16:21 ----HDC---- C:\WINDOWS\$NtUninstallKB950762_0$
2008-06-10 22:16:11 ----HDC---- C:\WINDOWS\$NtUninstallKB950760$
2008-06-10 22:15:54 ----HDC---- C:\WINDOWS\$NtUninstallKB951376_0$

List of drivers

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2006-04-15 55216]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 OMCI;OMCI; C:\WINDOWS\system32\SYSTEM32\DRIVERS\OMCI.SYS []
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\system32\System32\drivers\ws2ifsl.sys []
R2 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2006-04-15 22713]
R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS []
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2003-06-30 43136]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2006-09-19 15664]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-10-19 807998]
R3 NAVAP;NAVAP; \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys []
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080903.003\NAVENG.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080903.003\NAVEX15.sys []
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-02-28 545024]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-10-08 120830]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-10-08 98842]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2002-11-27 50960]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2002-11-27 16080]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2002-11-27 22384]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2007-10-31 30464]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]

List of services

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-04 611664]
R2 AdobeActiveFileMonitor5.0;Adobe Active File Monitor V5; C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe [2006-09-14 102400]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-10-31 110592]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 DefWatch;DefWatch; C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe [2003-05-21 32768]
R2 Norton AntiVirus Server;Symantec AntiVirus Client; C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe [2003-05-21 610304]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-02-19 504104]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2002-11-27 65536]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WPEServ;soft Xpansion Print2Document; C:\Program Files\Common Files\WPE\wpeserv.exe [2007-05-08 323584]

-----------------EOF-----------------

info.txt logfile of random's system information tool 2008-09-04 21:54:18

Uninstall list

-->MsiExec.exe /I{C4CBAD7E-DF4A-4FEC-AC17-8BC709AFB844}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
01-mp3search 4.0-->C:\PROGRA~1\01-MP3~1\Setup.exe /remove
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 2.1-->MsiExec.exe /I{25569723-DC5A-4467-A639-79535BF01B71}
Adobe Photoshop Elements 5.0-->msiexec /I {A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Mobile Device Support-->MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Black and White-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E51B4CD9-A0A6-4324-B26A-31B3F2DE26CE}\setup.exe"
Bonjour-->MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Broadcom 440x 10/100 Integrated Controller-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033
Corel WordPerfect Suite 8-->C:\Corel\Suite8\AppMan\Setup\REMOVELAUNCHER.EXE
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
EPSON CardMonitor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{109D28C7-FB38-483A-9C91-001CB59E2699}\Setup.exe" -l0x9 uninst
EPSON PhotoStarter3.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5983C895-DDA4-45D9-A8D1-877D5DE7693E}\Setup.exe" uninst
EPSON Print CD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}\setup.exe" -l0x9 -SYSTEM
EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
ESPR320 Reference Guide-->C:\Program Files\epson\guide\spr320_le\uninstall.exe
Flickr Uploadr 2.5.0.15-->"C:\Program Files\Flickr Uploadr\uninstall.exe"
Google Video Player-->"C:\Documents and Settings\Sean\Desktop\Sean's Folder\Google Video Player\Uninstall.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
hp instant support-->C:\PROGRA~1\HEWLET~1\hpis\Uninstall.exe /s CeS
HP Memories Disc-->MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Photo and Imaging 2.0 - All-in-One Drivers-->MsiExec.exe /X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}
HP Photo and Imaging 2.0 - All-in-One-->MsiExec.exe /X{9867A917-5D17-40DE-83BA-BEA5293194B1}
HP Photo and Imaging 2.0 - hp psc 1200 series-->C:\Program Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboot
hp psc 1200 series-->MsiExec.exe /X{C900EF06-2E76-49C7-8DB0-41F629B21DC5}
Ink Monitor-->C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe -U
Intel RSX 3D-->C:\WINDOWS\system32\rsxunins.exe
Intel® Extreme Graphics Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
iTunes-->MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LimeWire 4.12.6-->"C:\Documents and Settings\Benson\Desktop\Sean's Things\LimeWire\uninstall.exe"
LiveUpdate 1.80 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft FrontPage 2000-->MsiExec.exe /I{00120409-78E1-11D2-B60F-006097C998E7}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Windows Journal Viewer-->MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
MSN Music Assistant-->rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSN Toolbar-->C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\mtbs.exe c
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
Perfect PDF Creator Essentials-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{02C2F0BB-B480-4121-BE86-33B70E53070B}\setup.exe" -l0x9
QuickTax 2006-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FAFDA89B-1031-4BDB-8619-DE20CBDEDF32}\isetup.ex_" -l0x9 -uninst
QuickTax 2007-->MsiExec.exe /X{22EC35BD-F8F2-45EB-8DCB-1C7FB65D0A71}
QuickTax Tracker-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8992B88E-D45E-443B-A329-2F8DC03ECB0A} anything
QuickTime-->MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
RollerCoaster Tycoon 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72DF62BD-FF36-424E-AA5F-D89BAFF2C249}\Setup.exe" -l0x9
Security Update for 2007 Microsoft Office System (KB951596)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {1AFF2298-CC00-4A3B-866A-C62B8373794E}
Security Update for Microsoft Office Excel 2007 (KB951546)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {7399DD71-8E24-4E60-B6A8-6CED89C0AC26}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office system 2007 (KB951808)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Visio 2007 (KB947590)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
SigmaTel MSCN Audio Player-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C9B59DAD-86AC-456C-80A7-B665E77AA325}\setup.exe" -l0x9
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec AntiVirus Client-->MsiExec.exe /X{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}
Update for Office 2007 (KB946691)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Yahoo! Photos Easy Upload Tool 1v6-->C:\WINDOWS\system32\regsvr32 /u /s "C:\WINDOWS\cache\YDropperCA.dll"
Yahoo! Photos Easy Upload Tool-->C:\WINDOWS\system32\regsvr32 /u /s "C:\WINDOWS\cache\YDropper.dll"

Hosts File

127.0.0.1 localhost

Environment variables

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip

-----------------EOF-----------------

01-mp3search 4.0
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Ad-Aware
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Reader 8.1.2
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
Black and White
Bonjour
Broadcom 440x 10/100 Integrated Controller
Corel WordPerfect Suite 8
Dell ResourceCD
EPSON CardMonitor
EPSON PhotoStarter3.0
EPSON Print CD
EPSON Printer Software
ESPR320 Reference Guide
Flickr Uploadr 2.5.0.15
Google Video Player
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
Ink Monitor
Intel RSX 3D
Intel® Extreme Graphics Driver
iTunes
Java™ 6 Update 7
LimeWire 4.12.6
LiveUpdate 1.80 (Symantec Corporation)
Microsoft FrontPage 2000
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Professional with FrontPage
Microsoft Windows Journal Viewer
MSN Music Assistant
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
Perfect PDF Creator Essentials
QuickTax 2006
QuickTax 2007
QuickTax Tracker
QuickTime
RollerCoaster Tycoon 2
Security Update for 2007 Microsoft Office System (KB951596)
Security Update for Microsoft Office Excel 2007 (KB951546)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
SigmaTel MSCN Audio Player
SoundMAX
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Symantec AntiVirus Client
Update for Office 2007 (KB946691)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Photos Easy Upload Tool
Yahoo! Photos Easy Upload Tool 1v6

#6 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:08:41 AM

Posted 06 September 2008 - 06:24 PM

hi.

Sorry for the delay. I really tried my best to reply you as soon as possible. But their are some research I need to do before posting my fix.

Just remain your computer disconnected. Please download the stuff I ask you to download in other computer. Just like you did before. Maybe a USB set to read only when you stick it on your infected computer.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you wish to continue. PLease do the following:
  • Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Limewire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

    It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

    It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

    Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

  • Disable realtime scanners
  • I see you are running Teatimer.
    I suggest you to disable it because it can interfere with the changes you'll make on your system.
    When everything is done and your log is clean again, you can enable it again.
    If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    How to disable TeaTimer <== click me for instructions.
    After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
    Doubleclick ResetTeaTimer.bat and let it run.
    This will only take a few seconds.
    ------------------------------------------------------------------
  • Disable Superantispyware.
    Look for the icon of Superantispyware in your system tray. Right click on it.
    Click on Disable Real-Time Protection
    ------------------------------------------------------------------
  • NORTON ANTIVIRUS
    Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Posted Image
You succesfully disabled the Norton Antivirus Guard.
You can reenable them once your system is clean.


[*]Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe




[*]Please download VundoFix to your desktop.
  • Double-click VundoFix.exe to run it. If using Windows Vista be sure to Run As Administrator.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the 'Fix Vundo' button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.


[*]Run again HijackThis and Click Do a system scan only. Then post your log in your next reply.
[/list]In your reply:

Sdfix's.txt
Vundofix.txt
Fresh hijackthis log

Do not attach file. COPY/PASTE in you reply.



Mark

#7 uncle leo

uncle leo
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 07 September 2008 - 04:39 PM

Things went mostly as they were supposed to. I may not have disabled real time protection on Norton properly, so when I rebooted from Safe Mode after running SDFix, it may have been enabled. When SDFix was running in Normal Mode, a message came up indicating Norton had found an infected file (tdssl.dll) which it had quarantined. Vundofix did not find anything. Here are the logs. Let me know what I need to to next. Here are the three requested logs.

Thanks.


SDFix: Version 1.222
Run by Benson on Sun 09/07/2008 at 04:32 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Rootkit:
C:\WINDOWS\system32\drivers\tdssserv.sys - Rootkit.Win32.Agent.cku

Name :
tdssserv

Path :
\systemroot\system32\drivers\TDSSserv.sys

tdssserv - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\WINDOW~1.EXE - Deleted
C:\WINDOWS\system32\vav.cpl - Deleted
C:\WINDOWS\system32\windows_update.exe - Deleted
C:\WINDOWS\system32\drivers\tdssserv.sys - Deleted
C:\WINDOWS\system32\tdssinit.dll - Deleted
C:\WINDOWS\system32\tdssl.dll - Deleted
C:\WINDOWS\system32\tdsslog.dll - Deleted
C:\WINDOWS\system32\tdssmain.dll - Deleted
C:\WINDOWS\system32\tdssservers.dat - Deleted



Folder C:\Documents and Settings\Benson\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#w*w.redtube.com - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 16:51:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tdssserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Benson\\Desktop\\Sean's Things\\LimeWire\\LimeWire.exe"="C:\\Documents and Settings\\Benson\\Desktop\\Sean's Things\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"="C:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe:*:Disabled:lh"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"="C:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe:*:Enabled:Ad-Aware"
"C:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"="C:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE:*:Enabled:SUPERAntiSpyware Free Edition"
"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"="C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe:*:Enabled:Spybot - Search & Destroy"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Disabled:Bonjour"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 18 Jan 2008 70,144 ..SHR --- "C:\Program Files\01-mp3search\Setup.exe"
Thu 14 Aug 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Wed 31 Aug 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 31 Aug 2005 4,348 ...H. --- "C:\Documents and Settings\Benson\My Documents\My Music\License Backup\drmv1key.bak"
Wed 31 Aug 2005 20 A..H. --- "C:\Documents and Settings\Benson\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 31 Aug 2005 400 ...H. --- "C:\Documents and Settings\Benson\My Documents\My Music\License Backup\drmv2key.bak"
Wed 31 Aug 2005 1,536 A..H. --- "C:\Documents and Settings\Benson\My Documents\My Music\License Backup\drmv2lic.bak"

Finished!




VundoFix V7.0.6

Scan started at 5:02:09 PM 9/7/2008

Listing files found while scanning....

No infected files were found.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:25:09 PM, on 9/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {9E340569-3B9F-47FA-B376-472A7930D1D3} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [a05cecbf] rundll32.exe "C:\WINDOWS\system32\nuthdsxx.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /M "Stylus Photo R320" /EF "HKCU"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - AppInit_DLLs: sjokxu.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: geBQIXND - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: soft Xpansion Print2Document (WPEServ) - soft Xpansion - C:\Program Files\Common Files\WPE\wpeserv.exe

--
End of file - 7330 bytes

#8 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:08:41 AM

Posted 08 September 2008 - 05:30 PM

hi.

We got one infection down :thumbsup: . A rootkit.

Things went mostly as they were supposed to. I may not have disabled real time protection on Norton properly, so when I rebooted from Safe Mode after running SDFix, it may have been enabled. When SDFix was running in Normal Mode, a message came up indicating Norton had found an infected file (tdssl.dll) which it had quarantined. Vundofix did not find anything.

It's alright. The Norton found that file when the cloacking capability of rootkit was taken away by sdfix.

Lets continue cleaning.

Please follow the instruction below.
  • Please download VundoFix.exe to your desktop if you don't already have it.
    • Open a new notepad window
    • Paste the list of files from the quote box below into the notepad window.

      C:\WINDOWS\system32\nuthdsxx.dll
      c:\windows\system32\sjokxu.dll
      C:\WINDOWS\006002_.tmp
      C:\WINDOWS\system32\opnnkkkl
      C:\WINDOWS\system32\xxsdhtun.ini
      C:\WINDOWS\system32\gwpuslxt.dll
      C:\WINDOWS\system32\ab7f28c1-.txt
      C:\WINDOWS\system32\lkkknnpo.ini2
      C:\WINDOWS\system32\lkkknnpo.ini

    • Save this as vundofix.vft and Save as type "all files".
    • Double-click VundoFix.exe to run it.
    • Drag vundofix.vft onto the listbox (white box) of VundoFix.
    • Right-click in the open window and select "Select all" (or manualy add check marks) in the boxes preceeeding the file names.
    • With the boxes all checked select "Fix Vundo" - Do Not Select "Scan for Vundo"
    • You will receive a prompt asking "Are you sure you want to remove these files?", click Yes.
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt to reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt in your next reply.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "select "Fix Vundo"" when VundoFix appears upon rebooting

    Posted Image

  • Backup Your Registry with ERUNT
    • Please use the following link and scroll down to ERUNT and download it.
      http://aumha.org/freeware/freeware.php
    • For version with the Installer:
      Use the setup program to install ERUNT on your computer
    • For the zipped version:
      Unzip all the files into a folder of your choice.
    Click Erunt.exe to backup your registry to the folder of your choice.

    Note: to restore your registry, go to the folder and start ERDNT.exe

  • Copy and paste the following text into Notepad:

    REGEDIT4
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
     
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tdssserv]

    Save this as "fixme.reg" . Choose to save as *all files and place it on your Desktop.
    Double-click fixme.reg

  • Restart your computer in Normal mode.

  • Download GMER from here:
    http://www.gmer.net/files.php

    Unzip it to the desktop.

    Open the program and click on the Rootkit tab.
    Make sure all the boxes on the right of the screen are checked, EXCEPT for 'Show All'.
    Click on Scan.
    When the scan has run click Copy and paste the results (if any) into this thread.

  • Run again RSIT located at your desktop and post the result in your reply.
In you reply please post the result of C:\vundofix.txt, RSIT's log.txt and GMER result. Post it, do not attach it.

Thanks.

#9 uncle leo

uncle leo
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 08 September 2008 - 08:52 PM

Hi Mark,

Most things went well. It looks like Vundofix couldn't reomve a couple of files. I tried three times with the same results. (Couldn't I just go into the folder and delete them manually?)

Here are the logs as requested.

Thanks for your continued help.




Beginning removal...

Attempting to delete C:\WINDOWS\006002_.tmp
C:\WINDOWS\006002_.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\ab7f28c1-.txt
C:\WINDOWS\system32\ab7f28c1-.txt Has been deleted!

Attempting to delete C:\WINDOWS\system32\gwpuslxt.dll
C:\WINDOWS\system32\gwpuslxt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lkkknnpo.ini
C:\WINDOWS\system32\lkkknnpo.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\lkkknnpo.ini2
C:\WINDOWS\system32\lkkknnpo.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\nuthdsxx.dll
C:\WINDOWS\system32\nuthdsxx.dll Could not be deleted.

Attempting to delete c:\windows\system32\sjokxu.dll
c:\windows\system32\sjokxu.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xxsdhtun.ini
C:\WINDOWS\system32\xxsdhtun.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\system32\nuthdsxx.dll
C:\WINDOWS\system32\nuthdsxx.dll Could not be deleted.

Attempting to delete c:\windows\system32\sjokxu.dll
c:\windows\system32\sjokxu.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xxsdhtun.ini
C:\WINDOWS\system32\xxsdhtun.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\system32\nuthdsxx.dll
C:\WINDOWS\system32\nuthdsxx.dll Could not be deleted.

Attempting to delete c:\windows\system32\sjokxu.dll
c:\windows\system32\sjokxu.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xxsdhtun.ini
C:\WINDOWS\system32\xxsdhtun.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...


Logfile of random's system information tool (written by random/random)
Run by Benson at 2008-09-08 21:38:07
Microsoft Windows XP Professional Service Pack 3
System drive C: has 10 GB (25%) free of 38 GB
Total RAM: 759 MB (57% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:13 PM, on 9/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Benson\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Benson.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {9E340569-3B9F-47FA-B376-472A7930D1D3} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [a05cecbf] rundll32.exe "C:\WINDOWS\system32\nuthdsxx.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /M "Stylus Photo R320" /EF "HKCU"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - AppInit_DLLs: sjokxu.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: geBQIXND - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: soft Xpansion Print2Document (WPEServ) - soft Xpansion - C:\Program Files\Common Files\WPE\wpeserv.exe

--
End of file - 7377 bytes

Scheduled tasks folder

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1125426741.job

Registry dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9E340569-3B9F-47FA-B376-472A7930D1D3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
MSNToolBandBHO - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll [2006-01-17 282624]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2005-10-19 155648]
"EPSON Stylus Photo R320 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE [2004-04-26 98304]
"vptray"=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe [2003-05-21 90112]
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe [2005-10-19 126976]
"a05cecbf"=C:\WINDOWS\system32\nuthdsxx.dll [2008-08-19 99456]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"EPSON Stylus Photo R320 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE [2004-04-26 98304]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-09-04 1576176]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe [2006-09-14 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe [2004-05-05 262210]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-02-19 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-02-01 385024]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpohmr08.exe [2002-12-02 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe [2002-12-02 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~2\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="sjokxu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2008-09-04 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\geBQIXND]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-10-19 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2003-05-21 45056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-07-06 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"RunStartupScriptSync"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"RunStartupScriptSync"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Benson\Desktop\Sean's Things\LimeWire\LimeWire.exe"="C:\Documents and Settings\Benson\Desktop\Sean's Things\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Lionhead Studios Ltd\Black & White\runblack.exe"="C:\Program Files\Lionhead Studios Ltd\Black & White\runblack.exe:*:Disabled:lh"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe"="C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe:*:Enabled:Ad-Aware"
"C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE"="C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE:*:Enabled:SUPERAntiSpyware Free Edition"
"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe:*:Enabled:Spybot - Search & Destroy"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3a0c9c5-9212-11dc-9398-000d565d4e3e}]
shell\AutoRun\command - G:\LCMonitor.exe


File associations

.js - open - C:\Corel\Suite8\Programs\CCWin\Cscape.exe

List of files/folders created in the last three months

2008-09-08 21:16:30 ----A---- C:\WINDOWS\gmer.ini
2008-09-08 21:16:29 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2008-09-08 21:16:29 ----A---- C:\WINDOWS\gmer.dll
2008-09-08 21:16:28 ----A---- C:\WINDOWS\gmer.exe
2008-09-08 21:08:17 ----D---- C:\Program Files\ERUNT
2008-09-08 21:02:39 ----D---- C:\Registry Backup
2008-09-08 20:49:35 ----SH---- C:\WINDOWS\system32\xxsdhtun.ini
2008-09-08 20:28:35 ----A---- C:\vundofix.txt
2008-09-07 17:02:09 ----D---- C:\VundoFix Backups
2008-09-07 15:42:13 ----D---- C:\SDFix
2008-09-04 21:54:04 ----D---- C:\rsit
2008-09-04 21:45:39 ----A---- C:\WINDOWS\system32\javaws.exe
2008-09-04 21:45:39 ----A---- C:\WINDOWS\system32\javaw.exe
2008-09-04 21:45:39 ----A---- C:\WINDOWS\system32\java.exe
2008-09-04 19:57:43 ----A---- C:\WINDOWS\system32\mcrh.tmp
2008-09-01 03:01:11 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-08-30 17:30:34 ----D---- C:\WINDOWS\Prefetch
2008-08-30 16:56:40 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-08-30 16:56:30 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-08-30 16:56:19 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-08-30 16:56:08 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-08-30 16:55:58 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-08-30 16:55:48 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2008-08-30 16:55:36 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-08-30 16:55:26 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-08-30 16:55:16 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-08-30 16:55:03 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-08-30 16:49:45 ----A---- C:\WINDOWS\setuplog.txt
2008-08-30 16:48:26 ----D---- C:\WINDOWS\system32\scripting
2008-08-30 16:48:23 ----D---- C:\WINDOWS\system32\en
2008-08-30 16:48:23 ----D---- C:\WINDOWS\l2schemas
2008-08-30 15:05:21 ----N---- C:\WINDOWS\system32\wmphoto.dll
2008-08-30 15:05:18 ----N---- C:\WINDOWS\system32\wlanapi.dll
2008-08-30 15:05:13 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2008-08-30 15:05:13 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2008-08-30 15:04:58 ----N---- C:\WINDOWS\system32\tspkg.dll
2008-08-30 15:04:57 ----N---- C:\WINDOWS\system32\tsgqec.dll
2008-08-30 15:04:44 ----N---- C:\WINDOWS\system32\setupn.exe
2008-08-30 15:04:41 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2008-08-30 15:04:40 ----N---- C:\WINDOWS\system32\rasqec.dll
2008-08-30 15:04:38 ----N---- C:\WINDOWS\system32\qutil.dll
2008-08-30 15:04:38 ----N---- C:\WINDOWS\system32\qcliprov.dll
2008-08-30 15:04:38 ----N---- C:\WINDOWS\system32\qagentrt.dll
2008-08-30 15:04:38 ----N---- C:\WINDOWS\system32\qagent.dll
2008-08-30 15:04:36 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2008-08-30 15:04:34 ----N---- C:\WINDOWS\system32\onex.dll
2008-08-30 15:04:20 ----N---- C:\WINDOWS\system32\napstat.exe
2008-08-30 15:04:20 ----N---- C:\WINDOWS\system32\napmontr.dll
2008-08-30 15:04:20 ----N---- C:\WINDOWS\system32\napipsec.dll
2008-08-30 15:04:19 ----N---- C:\WINDOWS\system32\msxml6r.dll
2008-08-30 15:04:19 ----N---- C:\WINDOWS\system32\msxml6.dll
2008-08-30 15:04:17 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2008-08-30 15:04:17 ----N---- C:\WINDOWS\system32\mssha.dll
2008-08-30 15:04:01 ----N---- C:\WINDOWS\system32\mmcperf.exe
2008-08-30 15:04:00 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2008-08-30 15:04:00 ----N---- C:\WINDOWS\system32\mmcex.dll
2008-08-30 15:04:00 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-08-30 15:03:48 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2008-08-30 15:03:48 ----N---- C:\WINDOWS\system32\kmsvc.dll
2008-08-30 15:03:47 ----N---- C:\WINDOWS\system32\kbdpash.dll
2008-08-30 15:03:47 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2008-08-30 15:03:47 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2008-08-30 15:03:47 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2008-08-30 15:03:35 ----N---- C:\WINDOWS\system32\smtpapi.dll
2008-08-30 15:03:34 ----N---- C:\WINDOWS\system32\rwnh.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eapsvc.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eapqec.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eappprxy.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eapphost.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eappgnui.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eappcfg.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eapolqec.dll
2008-08-30 15:03:16 ----N---- C:\WINDOWS\system32\dot3ui.dll
2008-08-30 15:03:16 ----N---- C:\WINDOWS\system32\dot3svc.dll
2008-08-30 15:03:16 ----N---- C:\WINDOWS\system32\dot3msm.dll
2008-08-30 15:03:16 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2008-08-30 15:03:16 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2008-08-30 15:03:15 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2008-08-30 15:03:15 ----N---- C:\WINDOWS\system32\dot3api.dll
2008-08-30 15:03:15 ----N---- C:\WINDOWS\system32\dimsroam.dll
2008-08-30 15:03:15 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2008-08-30 15:03:14 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2008-08-30 15:03:11 ----N---- C:\WINDOWS\system32\credssp.dll
2008-08-30 15:03:07 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2008-08-30 15:03:06 ----N---- C:\WINDOWS\system32\azroles.dll
2008-08-30 15:02:58 ----N---- C:\WINDOWS\system32\aaclient.dll
2008-08-23 09:37:07 ----A---- C:\WINDOWS\cookies.ini
2008-08-20 20:20:02 ----D---- C:\WINDOWS\system32\LogFiles
2008-08-20 12:26:05 ----HDC---- C:\WINDOWS\$NtUninstallKB952954_0$
2008-08-20 12:25:57 ----HDC---- C:\WINDOWS\$NtUninstallKB946648_0$
2008-08-20 12:25:48 ----HDC---- C:\WINDOWS\$NtUninstallKB953839$
2008-08-20 12:24:26 ----HDC---- C:\WINDOWS\$NtUninstallKB950974_0$
2008-08-20 12:21:44 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-08-20 12:20:55 ----HDC---- C:\WINDOWS\$NtUninstallKB952287_0$
2008-08-20 12:19:42 ----HDC---- C:\WINDOWS\$NtUninstallKB951066_0$
2008-08-19 16:05:03 ----N---- C:\WINDOWS\system32\nuthdsxx.dll
2008-08-19 16:02:52 ----N---- C:\WINDOWS\system32\sjokxu.dll
2008-07-09 03:01:58 ----HDC---- C:\WINDOWS\$NtUninstallKB951748_0$
2008-06-20 03:01:55 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2_0$
2008-06-10 22:16:32 ----HDC---- C:\WINDOWS\$NtUninstallKB951698_0$
2008-06-10 22:16:21 ----HDC---- C:\WINDOWS\$NtUninstallKB950762_0$
2008-06-10 22:16:11 ----HDC---- C:\WINDOWS\$NtUninstallKB950760$
2008-06-10 22:15:54 ----HDC---- C:\WINDOWS\$NtUninstallKB951376_0$

List of drivers

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2006-04-15 55216]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 OMCI;OMCI; C:\WINDOWS\system32\SYSTEM32\DRIVERS\OMCI.SYS []
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\system32\System32\drivers\ws2ifsl.sys []
R2 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2006-04-15 22713]
R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS []
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2006-09-19 15664]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-10-19 807998]
R3 NAVAP;NAVAP; \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys []
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080905.006\NAVENG.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080905.006\NAVEX15.sys []
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-02-28 545024]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-10-08 120830]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-10-08 98842]
S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2003-06-30 43136]
S3 catchme;catchme; \??\C:\DOCUME~1\Benson\LOCALS~1\Temp\catchme.sys []
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-09-08 85969]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2002-11-27 50960]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2002-11-27 16080]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2002-11-27 22384]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2007-10-31 30464]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]

List of services

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-04 611664]
R2 AdobeActiveFileMonitor5.0;Adobe Active File Monitor V5; C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe [2006-09-14 102400]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-10-31 110592]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 DefWatch;DefWatch; C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe [2003-05-21 32768]
R2 Norton AntiVirus Server;Symantec AntiVirus Client; C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe [2003-05-21 610304]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-02-19 504104]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2002-11-27 65536]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WPEServ;soft Xpansion Print2Document; C:\Program Files\Common Files\WPE\wpeserv.exe [2007-05-08 323584]

-----------------EOF-----------------



GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-09-08 21:37:50
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEE87BF20]

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet003\Services\tdssserv@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\tdssserv@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\tdssserv@imagepath \systemroot\system32\drivers\TDSSserv.sys

---- EOF - GMER 1.0.14 ----

#10 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:08:41 AM

Posted 09 September 2008 - 04:55 PM

Hi Leo.

I think deleting it manually won't be possible. We already used a powerful tool to delete but failed. We'll try another one.

Please follow the instruction promptly. If you have question, please don't hesitate to ask before going to the instructions.

  • 1. Download RegDACL, and extract it to your desktop.
    2. Launch Notepad, and copy/paste the box below into a new text file. Save it as FixReg.bat and all file types Be sure to save it in the same folder as the one where you extracted RegDACL.

    RegDACL HKLM\SYSTEM\ControlSet003\Services\tdssserv /GGE:F

    3. Open the RegDACL folder, and double click on your FixReg.bat you just created and allow it to run. Answer yes to any prompts.
    4. Launch Notepad, and copy/paste the box below into a new text file. Save it on your C:\ drive as fixu.reg. For the "save as type" choose all files

    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tdssserv]

    • Locate fixme.reg on your Desktop and double-click on it.
    • You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
    • Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
  • Download fa-setup.exe and save it to your desktop
    • Double-click fa-setup.exe to install File assassin.
    • Locate the File assasin icon in you desktop. Posted Image
    • Select the following file(s) to delete by dragging it onto the text area or select it using the (...) browse button.

      Put check mark on toggle.

      Posted Image

      Files to delete:
      C:\WINDOWS\system32\nuthdsxx.dll
      c:\windows\system32\sjokxu.dll
      C:\WINDOWS\system32\xxsdhtun.ini


      Deletion are done one file at a time. After the first file is deleted then proceed to the next file.
    • Click Execute and the removal process will begin.
    • If that did not work, start the program again, select the file(s) the same way as before and this time check " Use delete on reboot function from windows".
    • Then proceed to the next file.
    Note: If you cannot find the file(s), you may have to
    Reconfigure Windows XP to show hidden files, folders. Go to Control Panel > Folder Options > View > check "Show hidden files and Folders", uncheck "Hide Protected operating system Files (recommended)", and hit Apply > OK. (We are doing this so we can look for and delete hidden files if necessary but don't delete anything other than what I ask you to delete. After your system is clean, follow the same procedure to hide these files and folders again to protect them from accidental deletion)


  • Restart you computer in normal mode.

  • Run GMER again.

    Open the program and click on the Rootkit tab.
    Make sure all the boxes on the right of the screen are checked, EXCEPT for 'Show All'.
    Click on Scan.
    When the scan has run click Copy and paste the results (if any) into this thread.

  • Run again RSIT located at your desktop and post the result in your reply.
In you reply please post RSIT's log.txt and GMER result. Post it, do not attach it.

Thanks.

Edited by mas_pogi, 09 September 2008 - 05:08 PM.


#11 uncle leo

uncle leo
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 10 September 2008 - 07:42 PM

Things went mostly well. I was confused about something. In the first part of your instructions, I downloaded RegDACL, but found it odd that I didn't run the program; at least that was my interpretation of the instructions. Is that right?

File Assassin got rid of:

c:\windows\system32\sjokxu.dll
C:\WINDOWS\system32\xxsdhtun.ini

but not:

C:\WINDOWS\system32\nuthdsxx.dll

In fact, program kept encountering an error and shutting down. It was early on in the process; while something-or-other was unloading(?) It was not up long enough for me to read before the program closed. I tried deleting the file both ways - same result.

Here are the logs. Hopefully they offer clues.

************

Logfile of random's system information tool (written by random/random)
Run by Benson at 2008-09-10 20:28:46
Microsoft Windows XP Professional Service Pack 3
System drive C: has 10 GB (27%) free of 38 GB
Total RAM: 759 MB (58% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:52 PM, on 9/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Benson\Desktop\gmer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Benson\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Benson.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {9E340569-3B9F-47FA-B376-472A7930D1D3} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [a05cecbf] rundll32.exe "C:\WINDOWS\system32\nuthdsxx.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /M "Stylus Photo R320" /EF "HKCU"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - AppInit_DLLs: sjokxu.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: geBQIXND - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: soft Xpansion Print2Document (WPEServ) - soft Xpansion - C:\Program Files\Common Files\WPE\wpeserv.exe

--
End of file - 7429 bytes

Scheduled tasks folder

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1125426741.job

Registry dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9E340569-3B9F-47FA-B376-472A7930D1D3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
MSNToolBandBHO - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll [2006-01-17 282624]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2005-10-19 155648]
"EPSON Stylus Photo R320 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE [2004-04-26 98304]
"vptray"=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe [2003-05-21 90112]
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe [2005-10-19 126976]
"a05cecbf"=C:\WINDOWS\system32\nuthdsxx.dll [2008-08-19 99456]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"EPSON Stylus Photo R320 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE [2004-04-26 98304]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-09-04 1576176]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe [2006-09-14 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe [2004-05-05 262210]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-02-19 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-02-01 385024]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpohmr08.exe [2002-12-02 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe [2002-12-02 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~2\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="sjokxu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2008-09-04 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\geBQIXND]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-10-19 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2003-05-21 45056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-07-06 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"RunStartupScriptSync"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"RunStartupScriptSync"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Benson\Desktop\Sean's Things\LimeWire\LimeWire.exe"="C:\Documents and Settings\Benson\Desktop\Sean's Things\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Lionhead Studios Ltd\Black & White\runblack.exe"="C:\Program Files\Lionhead Studios Ltd\Black & White\runblack.exe:*:Disabled:lh"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe"="C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe:*:Enabled:Ad-Aware"
"C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE"="C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE:*:Enabled:SUPERAntiSpyware Free Edition"
"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe:*:Enabled:Spybot - Search & Destroy"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3a0c9c5-9212-11dc-9398-000d565d4e3e}]
shell\AutoRun\command - G:\LCMonitor.exe


File associations

.js - open - C:\Corel\Suite8\Programs\CCWin\Cscape.exe

List of files/folders created in the last three months

2008-09-10 19:57:13 ----SH---- C:\WINDOWS\system32\xxsdhtun.ini
2008-09-10 19:45:39 ----D---- C:\Program Files\FileASSASSIN
2008-09-08 21:16:30 ----A---- C:\WINDOWS\gmer.ini
2008-09-08 21:16:29 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2008-09-08 21:16:29 ----A---- C:\WINDOWS\gmer.dll
2008-09-08 21:16:28 ----A---- C:\WINDOWS\gmer.exe
2008-09-08 21:08:17 ----D---- C:\Program Files\ERUNT
2008-09-08 21:02:39 ----D---- C:\Registry Backup
2008-09-08 20:28:35 ----A---- C:\vundofix.txt
2008-09-07 17:02:09 ----D---- C:\VundoFix Backups
2008-09-07 15:42:13 ----D---- C:\SDFix
2008-09-04 21:54:04 ----D---- C:\rsit
2008-09-04 21:45:39 ----A---- C:\WINDOWS\system32\javaws.exe
2008-09-04 21:45:39 ----A---- C:\WINDOWS\system32\javaw.exe
2008-09-04 21:45:39 ----A---- C:\WINDOWS\system32\java.exe
2008-09-04 19:57:43 ----A---- C:\WINDOWS\system32\mcrh.tmp
2008-09-01 03:01:11 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-08-30 17:30:34 ----D---- C:\WINDOWS\Prefetch
2008-08-30 16:56:40 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-08-30 16:56:30 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-08-30 16:56:19 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-08-30 16:56:08 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-08-30 16:55:58 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-08-30 16:55:48 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2008-08-30 16:55:36 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-08-30 16:55:26 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-08-30 16:55:16 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-08-30 16:55:03 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-08-30 16:49:45 ----A---- C:\WINDOWS\setuplog.txt
2008-08-30 16:48:26 ----D---- C:\WINDOWS\system32\scripting
2008-08-30 16:48:23 ----D---- C:\WINDOWS\system32\en
2008-08-30 16:48:23 ----D---- C:\WINDOWS\l2schemas
2008-08-30 15:05:21 ----N---- C:\WINDOWS\system32\wmphoto.dll
2008-08-30 15:05:18 ----N---- C:\WINDOWS\system32\wlanapi.dll
2008-08-30 15:05:13 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2008-08-30 15:05:13 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2008-08-30 15:04:58 ----N---- C:\WINDOWS\system32\tspkg.dll
2008-08-30 15:04:57 ----N---- C:\WINDOWS\system32\tsgqec.dll
2008-08-30 15:04:44 ----N---- C:\WINDOWS\system32\setupn.exe
2008-08-30 15:04:41 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2008-08-30 15:04:40 ----N---- C:\WINDOWS\system32\rasqec.dll
2008-08-30 15:04:38 ----N---- C:\WINDOWS\system32\qutil.dll
2008-08-30 15:04:38 ----N---- C:\WINDOWS\system32\qcliprov.dll
2008-08-30 15:04:38 ----N---- C:\WINDOWS\system32\qagentrt.dll
2008-08-30 15:04:38 ----N---- C:\WINDOWS\system32\qagent.dll
2008-08-30 15:04:36 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2008-08-30 15:04:34 ----N---- C:\WINDOWS\system32\onex.dll
2008-08-30 15:04:20 ----N---- C:\WINDOWS\system32\napstat.exe
2008-08-30 15:04:20 ----N---- C:\WINDOWS\system32\napmontr.dll
2008-08-30 15:04:20 ----N---- C:\WINDOWS\system32\napipsec.dll
2008-08-30 15:04:19 ----N---- C:\WINDOWS\system32\msxml6r.dll
2008-08-30 15:04:19 ----N---- C:\WINDOWS\system32\msxml6.dll
2008-08-30 15:04:17 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2008-08-30 15:04:17 ----N---- C:\WINDOWS\system32\mssha.dll
2008-08-30 15:04:01 ----N---- C:\WINDOWS\system32\mmcperf.exe
2008-08-30 15:04:00 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2008-08-30 15:04:00 ----N---- C:\WINDOWS\system32\mmcex.dll
2008-08-30 15:04:00 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-08-30 15:03:48 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2008-08-30 15:03:48 ----N---- C:\WINDOWS\system32\kmsvc.dll
2008-08-30 15:03:47 ----N---- C:\WINDOWS\system32\kbdpash.dll
2008-08-30 15:03:47 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2008-08-30 15:03:47 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2008-08-30 15:03:47 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2008-08-30 15:03:35 ----N---- C:\WINDOWS\system32\smtpapi.dll
2008-08-30 15:03:34 ----N---- C:\WINDOWS\system32\rwnh.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eapsvc.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eapqec.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eappprxy.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eapphost.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eappgnui.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eappcfg.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2008-08-30 15:03:19 ----N---- C:\WINDOWS\system32\eapolqec.dll
2008-08-30 15:03:16 ----N---- C:\WINDOWS\system32\dot3ui.dll
2008-08-30 15:03:16 ----N---- C:\WINDOWS\system32\dot3svc.dll
2008-08-30 15:03:16 ----N---- C:\WINDOWS\system32\dot3msm.dll
2008-08-30 15:03:16 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2008-08-30 15:03:16 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2008-08-30 15:03:15 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2008-08-30 15:03:15 ----N---- C:\WINDOWS\system32\dot3api.dll
2008-08-30 15:03:15 ----N---- C:\WINDOWS\system32\dimsroam.dll
2008-08-30 15:03:15 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2008-08-30 15:03:14 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2008-08-30 15:03:11 ----N---- C:\WINDOWS\system32\credssp.dll
2008-08-30 15:03:07 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2008-08-30 15:03:06 ----N---- C:\WINDOWS\system32\azroles.dll
2008-08-30 15:02:58 ----N---- C:\WINDOWS\system32\aaclient.dll
2008-08-23 09:37:07 ----A---- C:\WINDOWS\cookies.ini
2008-08-20 20:20:02 ----D---- C:\WINDOWS\system32\LogFiles
2008-08-20 12:26:05 ----HDC---- C:\WINDOWS\$NtUninstallKB952954_0$
2008-08-20 12:25:57 ----HDC---- C:\WINDOWS\$NtUninstallKB946648_0$
2008-08-20 12:25:48 ----HDC---- C:\WINDOWS\$NtUninstallKB953839$
2008-08-20 12:24:26 ----HDC---- C:\WINDOWS\$NtUninstallKB950974_0$
2008-08-20 12:21:44 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-08-20 12:20:55 ----HDC---- C:\WINDOWS\$NtUninstallKB952287_0$
2008-08-20 12:19:42 ----HDC---- C:\WINDOWS\$NtUninstallKB951066_0$
2008-08-19 16:05:03 ----N---- C:\WINDOWS\system32\nuthdsxx.dll
2008-07-09 03:01:58 ----HDC---- C:\WINDOWS\$NtUninstallKB951748_0$
2008-06-20 03:01:55 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2_0$

List of drivers

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2006-04-15 55216]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 OMCI;OMCI; C:\WINDOWS\system32\SYSTEM32\DRIVERS\OMCI.SYS []
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\system32\System32\drivers\ws2ifsl.sys []
R2 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2006-04-15 22713]
R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS []
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2006-09-19 15664]
R3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-09-08 85969]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-10-19 807998]
R3 NAVAP;NAVAP; \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys []
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080905.006\NAVENG.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080905.006\NAVEX15.sys []
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-02-28 545024]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-10-08 120830]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-10-08 98842]
S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2003-06-30 43136]
S3 catchme;catchme; \??\C:\DOCUME~1\Benson\LOCALS~1\Temp\catchme.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2002-11-27 50960]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2002-11-27 16080]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2002-11-27 22384]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2007-10-31 30464]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]

List of services

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-04 611664]
R2 AdobeActiveFileMonitor5.0;Adobe Active File Monitor V5; C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe [2006-09-14 102400]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-10-31 110592]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 DefWatch;DefWatch; C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe [2003-05-21 32768]
R2 Norton AntiVirus Server;Symantec AntiVirus Client; C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe [2003-05-21 610304]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-02-19 504104]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2002-11-27 65536]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WPEServ;soft Xpansion Print2Document; C:\Program Files\Common Files\WPE\wpeserv.exe [2007-05-08 323584]

-----------------EOF-----------------


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-09-10 20:27:51
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEE87BF20]

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.14 ----

#12 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:08:41 AM

Posted 11 September 2008 - 08:00 AM

hi Leo,

Things went mostly well. I was confused about something. In the first part of your instructions, I downloaded RegDACL, but found it odd that I didn't run the program; at least that was my interpretation of the instructions. Is that right?

RegDACL worked just fine and removed the bad registry key. Thanks for letting me know.

Please follow the instructions below;
  • Please download Malwarebytes Anti-Malware and save it to your desktop.
    • Make sure you are connected to the Internet.
    • Double-click on mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    • On the Scanner tab:
      • Make sure the "Perform Quick Scan" option is selected.
      • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad.
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply and exit MBAM.
    Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

  • Run HijackThis icon in your desktop by double-clicking it.
    Then do press "Do a System Scan Only".

    When the scan is complete place a check mark next to the following entries: Don't worry if it don't exist anymore.

    O2 - BHO: (no name) - {9E340569-3B9F-47FA-B376-472A7930D1D3} - (no file)
    O4 - HKLM\..\Run: [a05cecbf] rundll32.exe "C:\WINDOWS\system32\nuthdsxx.dll",b
    O20 - Winlogon Notify: geBQIXND - C:\WINDOWS\
    O20 - AppInit_DLLs: sjokxu.dll

    After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked."

    Restart your computer in normal mode.

  • Run again HijackThis and Click Do a system scan only. Then post your log in your next reply.

  • Enable your realtime scanners.
    • S&D Teatimer
    • Superantispyware
    • NORTON ANTIVIRUS
    Just do the opposite instruction i give you before. I think you can do that :thumbsup:

  • Connect you computer to internet now.

  • Run Scan with Kaspersky
    Please do a scan with Kaspersky Online Scanner.

    This scan is for Internet Explorer Only.

    If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
    • Open the Kaspersky Scanner page.
    • Click on Accept and install any components it needs.
    • The program will install and then begin downloading the latest definition files.
    • After the files have been downloaded on the left side of the page in the Scan section select My Computer
    • This will start the program and scan your system.
    • The scan will take a while, so be patient and let it run.
    • Once the scan is complete, click on View scan report
    • Now, click on the Save Report as button.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
In your reply, please post the result of Malwarebytes, Kaspersky's and Fresh hijackthis log.

How's your computer now?

Mark

#13 uncle leo

uncle leo
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 13 September 2008 - 01:50 PM

Things went generally OK. Just when I think there is light at the end of the tunnel, though.....

Here are the logs

Thanks.


Malwarebytes' Anti-Malware 1.28
Database version: 1142
Windows 5.1.2600 Service Pack 3

9/12/2008 7:52:24 PM
mbam-log-2008-09-12 (19-52-24).txt

Scan type: Quick Scan
Objects scanned: 57983
Time elapsed: 24 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nuthdsxx.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a05cecbf (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\nuthdsxx.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xxsdhtun.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.


KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, September 13, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, September 13, 2008 14:46:04
Records in database: 1220742


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics
Files scanned 144992
Threat name 14
Infected objects 148
Suspicious objects 0
Duration of the scan 03:40:06

File name Threat name Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04EC0000.VBN Infected: Backdoor.Win32.UltimateDefender.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\052C0000.VBN Infected: Backdoor.Win32.UltimateDefender.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06CC0000.VBN Infected: Backdoor.Win32.UltimateDefender.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06CC0001.VBN Infected: Backdoor.Win32.UltimateDefender.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06EC0000.VBN Infected: Rootkit.Win32.Clbd.jg 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06EC0001.VBN Infected: Trojan-Downloader.Win32.Small.acpi 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06F40000.VBN Infected: Trojan-Downloader.Win32.Small.acpi 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08040000.VBN Infected: Rootkit.Win32.Clbd.jg 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D40002.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D40003.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D40004.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D40005.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D80000.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D80001.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D80002.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D80003.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D80004.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D80005.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D80006.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D80007.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08DC0000.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08DC0001.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08DC0002.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08DC0003.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E00000.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E00001.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E00002.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E00003.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E00004.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E00005.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E40000.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E40001.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E40002.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08F40000.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08F80000.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08F80001.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EA40000.VBN Infected: Trojan-Downloader.WMA.Wimad.n 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EA40001.VBN Infected: Trojan-Downloader.WMA.Wimad.n 1

C:\Documents and Settings\Benson\.housecall6.6\Quarantine\on-line.exe.bac_a00408 Infected: Trojan-Downloader.Win32.Femad.ds 1

C:\Documents and Settings\Benson\.housecall6.6\Quarantine\on-line[1].exe.bac_a00408 Infected: Trojan-Downloader.Win32.Femad.ds 1

C:\Documents and Settings\Benson\.housecall6.6\Quarantine\W2GWWLpCfNg9FiNJs8bg[1].chm.bac_a00408 Infected: Trojan-Downloader.HTML.Agent.i 1

C:\Documents and Settings\Benson\.housecall6.6\Quarantine\W2GWWLpCfNg9FiNJs8bg[1].chm.bac_a00408 Infected: Trojan-Downloader.Win32.Femad.ds 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\Admin[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\english[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\hcr[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\index[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\index_configuration[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\installed[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\MemberWizard[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\Options[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\UserEmailCheck[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\WhatsNew[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\T58SMAPU\AccountLogin[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\T58SMAPU\en[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\T58SMAPU\installed[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\T58SMAPU\installed[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\T58SMAPU\onenetwork[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\T58SMAPU\PreRegistration[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\T58SMAPU\Reports[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\T58SMAPU\visitor.js[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\VE4LQUNH\help[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\VE4LQUNH\hockeycanada_ca[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\VE4LQUNH\Options[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\VE4LQUNH\Options[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\XBW3J0MS\brand[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\XBW3J0MS\cse[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\XBW3J0MS\index[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\XBW3J0MS\MemberSearch[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\XBW3J0MS\onenetwork[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\XBW3J0MS\onenetwork[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\XBW3J0MS\search[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\XBW3J0MS\windows_ie[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\300x350a[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\43[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\43[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\banner_24368[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\cat_feed[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\cdm[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\cdm[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\cdm[3].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\checkj[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\counter[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\diggthis[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\imgres[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\modules[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\piclist[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\search[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\text_group[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\undefined[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\banner_24368_xml[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\cdm[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\classic-clips_contentdetail_ad[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\counter[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\iframe[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\imghp[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\imgres[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\index[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\lesbian[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\lesbian[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\main[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\offer[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\promounits[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\searchw44[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\Teen-lesbian-sex-73826[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\teen[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\viewtracker[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\yuvutu2[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\43[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\cats-on-a-treadmill[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\cat_feed[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\cj[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\counter[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\Danae-and-Antea-lesbian-teens-59537[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\freeporn[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\g500128-pct[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\iframe_youporn_300x210[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\images[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\Naughty-Lesbian-47385[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\piclist[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\piclist[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\piclist[3].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\pornkolt_com[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\swfobject[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\text_group[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\text_group[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\yuvutu_com[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\1000[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\160x600fpi[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\180x800a[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\cat_feed[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\cat_feed[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\google_ca[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\images[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\index[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\jump1[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\maingallery[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\page[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\pornkolt[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\porntubj_com[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\Teen-sex-44290[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\text_group[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\Wild-young-lesbian-66545[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\SDFix\backups\backups.zip Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.ax 1

C:\SDFix\backups\catchme.zip Infected: Backdoor.Win32.Agent.qmx 1

C:\VundoFix Backups\gwpuslxt.dll.bad Infected: not-a-virus:AdWare.Win32.SuperJuan.ctx 1

C:\VundoFix Backups\nuthdsxx.dll.bad Infected: Trojan.Win32.Monder.gfw 1

C:\VundoFix Backups\sjokxu.dll.bad Infected: not-a-virus:AdWare.Win32.SuperJuan.ctx 1

F:\WINDOWS\Downloaded Program Files\flash.inf Infected: not-a-virus:AdWare.Win32.BetterInternet.be 1

The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:44 PM, on 9/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /M "Stylus Photo R320" /EF "HKCU"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - AppInit_DLLs: sjokxu.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: soft Xpansion Print2Document (WPEServ) - soft Xpansion - C:\Program Files\Common Files\WPE\wpeserv.exe

--
End of file - 7229 bytes

#14 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:08:41 AM

Posted 15 September 2008 - 07:29 AM

hi Leo.

So Sorry for the delay.

We are almost there at the end. Just hang on. We can do it. :thumbsup:

Please follow the instruction below;
  • Copy and paste the following text into Notepad:

    Windows Registry Editor Version 5.00

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    Save this as "fixme.reg" . Choose to save as *all files and place it on your Desktop.
    Double-click fixme.reg

  • Download and Run OTMoveIT
    • Please download OTMoveIt2 by OldTimerto your desktop.
    • Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the quotebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


      C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS
      C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\T58SMAPU
      C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\VE4LQUNH
      C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\XBW3J0MS
      C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK
      C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2
      C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM
      C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z
      c:\windows\system32\sjokxu.dll
      F:\WINDOWS\Downloaded Program Files\flash.inf
      EmptyTemp
      purity

    • Return to OTMoveIt2, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
    • Click the red Posted Image button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

  • Restart your computer in normal mode.

  • Run again HijackThis and Click Do a system scan only. Then post your log in your next reply.

  • Run Scan with Kaspersky
    Please do a scan with Kaspersky Online Scanner.

    This scan is for Internet Explorer Only.

    If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
    • Open the Kaspersky Scanner page.
    • Click on Accept and install any components it needs.
    • The program will install and then begin downloading the latest definition files.
    • After the files have been downloaded on the left side of the page in the Scan section select My Computer
    • This will start the program and scan your system.
    • The scan will take a while, so be patient and let it run.
    • Once the scan is complete, click on View scan report
    • Now, click on the Save Report as button.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
In your reply, Please post the following:
  • Otmoveit log
  • Kaspersky's
  • Fresh hijackthis log
Thanks.

Mark

Edited by mas_pogi, 15 September 2008 - 07:51 AM.


#15 uncle leo

uncle leo
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 17 September 2008 - 05:12 PM

Sorry for taking so long. Life gets in the way of computers sometimes.

Ugh. What is the 'Guest' profile? I don't see that one when the computer boots up. Where does it come from? That's where a lot of this stuff seems to come from

C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS moved successfully.
C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\T58SMAPU moved successfully.
C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\VE4LQUNH moved successfully.
C:\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\XBW3J0MS moved successfully.
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK moved successfully.
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2 moved successfully.
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM moved successfully.
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z moved successfully.
File/Folder c:\windows\system32\sjokxu.dll not found.
F:\WINDOWS\Downloaded Program Files\flash.inf moved successfully.
< EmptyTemp >
Temp folders emptied.
IE temp folders emptied.
< purity >

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09162008_191539


KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, September 17, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, September 16, 2008 21:53:54
Records in database: 1242681


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics
Files scanned 145129
Threat name 14
Infected objects 149
Suspicious objects 0
Duration of the scan 05:59:14

File name Threat name Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04EC0000.VBN Infected: Backdoor.Win32.UltimateDefender.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\052C0000.VBN Infected: Backdoor.Win32.UltimateDefender.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06CC0000.VBN Infected: Backdoor.Win32.UltimateDefender.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06CC0001.VBN Infected: Backdoor.Win32.UltimateDefender.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06EC0000.VBN Infected: Rootkit.Win32.Clbd.jg 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06EC0001.VBN Infected: Trojan-Downloader.Win32.Small.acpi 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06F40000.VBN Infected: Trojan-Downloader.Win32.Small.acpi 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08040000.VBN Infected: Rootkit.Win32.Clbd.jg 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D40002.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D40003.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D40004.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D40005.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D80000.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D80001.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D80002.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D80003.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D80004.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D80005.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D80006.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D80007.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08DC0000.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08DC0001.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08DC0002.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08DC0003.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E00000.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E00001.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E00002.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E00003.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E00004.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E00005.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E40000.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E40001.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08E40002.VBN Infected: Trojan.Win32.Vapsup.jry 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08F40000.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08F80000.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08F80001.VBN Infected: Trojan.Win32.Vapsup.jrv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EA40000.VBN Infected: Trojan-Downloader.WMA.Wimad.n 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EA40001.VBN Infected: Trojan-Downloader.WMA.Wimad.n 1

C:\Documents and Settings\Benson\.housecall6.6\Quarantine\on-line.exe.bac_a00408 Infected: Trojan-Downloader.Win32.Femad.ds 1

C:\Documents and Settings\Benson\.housecall6.6\Quarantine\on-line[1].exe.bac_a00408 Infected: Trojan-Downloader.Win32.Femad.ds 1

C:\Documents and Settings\Benson\.housecall6.6\Quarantine\W2GWWLpCfNg9FiNJs8bg[1].chm.bac_a00408 Infected: Trojan-Downloader.HTML.Agent.i 1

C:\Documents and Settings\Benson\.housecall6.6\Quarantine\W2GWWLpCfNg9FiNJs8bg[1].chm.bac_a00408 Infected: Trojan-Downloader.Win32.Femad.ds 1

C:\SDFix\backups\backups.zip Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.ax 1

C:\SDFix\backups\catchme.zip Infected: Backdoor.Win32.Agent.qmx 1

C:\VundoFix Backups\gwpuslxt.dll.bad Infected: not-a-virus:AdWare.Win32.SuperJuan.ctx 1

C:\VundoFix Backups\nuthdsxx.dll.bad Infected: Trojan.Win32.Monder.gfw 1

C:\VundoFix Backups\sjokxu.dll.bad Infected: not-a-virus:AdWare.Win32.SuperJuan.ctx 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\Admin[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\english[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\hcr[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\index[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\index_configuration[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\installed[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\MemberWizard[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\Options[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\UserEmailCheck[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\OWTDIHCS\WhatsNew[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\T58SMAPU\AccountLogin[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\T58SMAPU\en[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\T58SMAPU\installed[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\T58SMAPU\installed[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\T58SMAPU\onenetwork[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\T58SMAPU\PreRegistration[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\T58SMAPU\Reports[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\T58SMAPU\visitor.js[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\VE4LQUNH\help[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\VE4LQUNH\hockeycanada_ca[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\VE4LQUNH\Options[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\VE4LQUNH\Options[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\XBW3J0MS\brand[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\XBW3J0MS\cse[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\XBW3J0MS\index[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\XBW3J0MS\MemberSearch[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\XBW3J0MS\onenetwork[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\XBW3J0MS\onenetwork[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\XBW3J0MS\search[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Benson\Local Settings\Temporary Internet Files\Content.IE5\XBW3J0MS\windows_ie[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\300x350a[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\43[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\43[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\banner_24368[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\cat_feed[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\cdm[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\cdm[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\cdm[3].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\checkj[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\counter[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\diggthis[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\imgres[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\modules[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\piclist[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\search[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\text_group[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\7PYPU4FK\undefined[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\banner_24368_xml[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\cdm[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\classic-clips_contentdetail_ad[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\counter[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\iframe[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\imghp[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\imgres[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\index[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\lesbian[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\lesbian[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\main[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\offer[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\promounits[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\searchw44[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\Teen-lesbian-sex-73826[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\teen[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\viewtracker[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4L6GWI2\yuvutu2[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\43[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\cats-on-a-treadmill[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\cat_feed[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\cj[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\counter[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\Danae-and-Antea-lesbian-teens-59537[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\freeporn[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\g500128-pct[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\iframe_youporn_300x210[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\images[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\Naughty-Lesbian-47385[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\piclist[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\piclist[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\piclist[3].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\pornkolt_com[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\swfobject[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\text_group[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\text_group[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\N5CE6XYM\yuvutu_com[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\1000[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\160x600fpi[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\180x800a[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\cat_feed[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\cat_feed[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\google_ca[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\images[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\index[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\jump1[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\maingallery[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\page[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\pornkolt[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\porntubj_com[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\Teen-sex-44290[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\text_group[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\X2AA2Y6Z\Wild-young-lesbian-66545[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

C:\_OTMoveIt\MovedFiles\09162008_191539\WINDOWS\Downloaded Program Files\flash.inf Infected: not-a-virus:AdWare.Win32.BetterInternet.be 1

F:\System Volume Information\_restore{D007C398-F00C-46BB-A89A-6AA8D70A524E}\RP304\A0012859.inf Infected: not-a-virus:AdWare.Win32.BetterInternet.be 1

The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:51 PM, on 9/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /M "Stylus Photo R320" /EF "HKCU"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - AppInit_DLLs: sjokxu.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: soft Xpansion Print2Document (WPEServ) - soft Xpansion - C:\Program Files\Common Files\WPE\wpeserv.exe

--
End of file - 7246 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users