Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some Version Of Bagle.


  • Please log in to reply
31 replies to this topic

#1 bammbamm21

bammbamm21

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:menasha, wi
  • Local time:07:43 AM

Posted 20 September 2008 - 12:06 AM

so in my haste of finally finding a file that i had been looking for for a long time, i forgot to scan it before opening it and am now infected. i have scanned with spybot, adaware, stinger, and bitdefender which have turned up various files associated with the bagle virus per the instructions in the before you post a log thread.

my symptoms are slow load times on web pages and the ads on pages take forever to load. other then that i have no visible problems.

not sure if i should post a hjt log first or wait for instructions, but i will post one anyway just to save time.

any help would be appreciated. i did save atf cleaner to the desktop and ran that before posting the log.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:58 AM, on 9/20/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Users\George\AppData\Roaming\MICROS~1\spoolsv.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\George\AppData\Local\Temp\~tmp\hmunmlcl88\hmunmlcl88.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\Users\George\AppData\Roaming\MICROS~1\spoolsv.exe
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\PhotoDownloader.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKLM\..\Policies\Explorer\Run: [rsvp] C:\Users\George\AppData\Local\Temp\rsvp.exe /waitservice
O4 - HKCU\..\Policies\Explorer\Run: [DllHst] C:\Users\George\LOCALS~1\APPLIC~1\dllhst3g.exe /waitservice
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [ClipSrv] C:\Users\George\AppData\Roaming\clipsrv.exe /waitservice (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [ClipSrv] C:\Users\George\AppData\Roaming\clipsrv.exe /waitservice (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\System32\STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9980 bytes



any and all help would be appreciated

BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:01:43 PM

Posted 02 October 2008 - 04:09 PM

Hi bammbamm21

I apologize for the delay in response to your thread.
If you have since resolved the original problem you were having, I would appreciate you letting us know..
If not please post back a new Hjt log so I can have a look at the current condition of your machine.

Thanks

BBPP6nz.png


#3 bammbamm21

bammbamm21
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:menasha, wi
  • Local time:07:43 AM

Posted 10 October 2008 - 06:56 PM

thank you for responding. it was running fine for a week and then today it started acting up again. the files found under kaspersky keep coming back after deleting them and then restarting. i tried that shortly after the 5 days on here. i didnt touch anything on the hjt log. kaspersky only picked up one thing when i originally had scanned it and now its picking up 5. and help would be appreciated.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:01 AM, on 10/10/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Users\George\AppData\Roaming\MICROS~1\spoolsv.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\Users\George\AppData\Roaming\MICROS~1\spoolsv.exe
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\PhotoDownloader.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKLM\..\Policies\Explorer\Run: [rsvp] C:\Users\George\AppData\Local\Temp\rsvp.exe /waitservice
O4 - HKCU\..\Policies\Explorer\Run: [DllHst] C:\Users\George\LOCALS~1\APPLIC~1\dllhst3g.exe /waitservice
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [ClipSrv] C:\Users\George\AppData\Roaming\clipsrv.exe /waitservice (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [ClipSrv] C:\Users\George\AppData\Roaming\clipsrv.exe /waitservice (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\System32\STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9922 bytes





also this file keeps coming back. C:\Users\George\AppData\Local\Temp\~tmp\hmunmlcl88. sometimes its a 87 at the end though. comp runs fine for a week or 2 then starts acting up again.


here is my kaspersky file


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, October 10, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, October 10, 2008 16:54:25
Records in database: 1303332
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
F:\
G:\

Scan statistics:
Files scanned: 161910
Threat name: 5
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 02:11:30


File name / Threat name / Threats count
C:\Users\George\AppData\Local\Temp\~tmp\hmunmlcl90\hmunmlcl90.exe Infected: Trojan-Mailfinder.Win32.Blen.dg 1
C:\Users\George\AppData\Local\Temp\~tmp\hmunmlcl92\hmunmlcl92.exe Infected: Trojan-Mailfinder.Win32.Blen.de 1
C:\Users\George\AppData\Local\Temp\~tmp\hmunmlcl93\hmunmlcl93.exe Infected: Trojan-Mailfinder.Win32.Blen.df 1
C:\Users\George\AppData\Local\Temp\~tmp\hmunmlcl94a\hmunmlcl94a.exe Infected: Trojan-Mailfinder.Win32.Blen.dh 1
C:\Users\George\AppData\Local\Temp\~tmp\hmunmlcl96\hmunmlcl96.exe Infected: Trojan-Mailfinder.Win32.Blen.dk 1

The selected area was scanned.

Edited by bammbamm21, 10 October 2008 - 06:59 PM.


#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:01:43 PM

Posted 11 October 2008 - 04:37 AM

Hi bammbamm21

Please download ComboFix

**Note: It is important that it is saved directly to your desktop**

There are full instructions on how to download and run ComboFix here:
How to use ComboFix
Please follow all the instructions to the letter...(this is very important)

Please ensure that you install the Recovery Console.
If it's not already installed on your machine

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.
Posted Image

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
Note: Do not mouseclick combofix's window while its running. This may cause it to stall

When finished, it will produce a log for you. Post that log in your next reply.
-------------------------------------------------------
If for any reason Combofix won't run, remove that version of Combofix and use the following instructions:

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


In your next reply, please submit:
Combofix.txt
and a new Hjt log

Thanks.

BBPP6nz.png


#5 bammbamm21

bammbamm21
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:menasha, wi
  • Local time:07:43 AM

Posted 12 October 2008 - 05:19 AM

im still having the problem but i just got my tonsils removed and am hopped up on medicine right now. i would rather not be messing with my comp right now so if u could just leave this topic open and i will reply when im feeling better i would appreciate it.

#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:01:43 PM

Posted 12 October 2008 - 05:33 AM

Hi bammbamm21

i

would rather not be messing with my comp right now so if u could just leave this topic open and i will reply when im feeling better i would appreciate it.

That is not a problem. I'll leave the thread open and wait for your return.
Hope you feel better soon.

BBPP6nz.png


#7 bammbamm21

bammbamm21
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:menasha, wi
  • Local time:07:43 AM

Posted 18 October 2008 - 05:47 AM

sorry about the wait. took longer to recover then i originally thought. here is the hjt log and the combofix log. im not sure about the recovery console because i have vista and all i can find out about it is for xp. i did check for start up problems but i couldnt find an option to check for malware for the vista version. any help on that would be appreciated if its needed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:46 AM, on 10/18/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16757)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Users\George\AppData\Local\Temp\rsvp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\Users\George\AppData\Local\Temp\logman.exe
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKLM\..\Policies\Explorer\Run: [rsvp] C:\Users\George\AppData\Local\Temp\rsvp.exe /waitservice
O4 - HKCU\..\Policies\Explorer\Run: [MqtgSVC] C:\Users\George\AppData\Roaming\MICROS~1\mqtgsvc.exe /waitservice
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [ClipSrv] C:\Users\George\AppData\Roaming\clipsrv.exe /waitservice (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [ClipSrv] C:\Users\George\AppData\Roaming\clipsrv.exe /waitservice (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {64D01C7F-810D-446E-A07E-456746835644} (AtlBoxWordCtlAttrib Class) - http://games.myspace.com/gameshell/games/c...n/abcisland.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\System32\STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9336 bytes








ComboFix 08-10-17.01 - George 2008-10-18 4:23:37.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.450 [GMT -5:00]
Running from: C:\Users\George\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\ban_list.txt
C:\Windows\system32\drivers\downld
C:\Windows\system32\drivers\downld\14716167.exe
C:\Windows\system32\drivers\downld\14716775.exe
C:\Windows\system32\drivers\downld\14731236.exe
C:\Windows\system32\drivers\downld\14756384.exe
C:\Windows\system32\drivers\downld\14758256.exe
C:\Windows\system32\drivers\downld\14761204.exe
C:\Windows\system32\drivers\downld\14799487.exe
C:\Windows\system32\drivers\downld\14802139.exe
C:\Windows\system32\drivers\downld\14805087.exe
C:\Windows\system32\drivers\downld\14825539.exe
C:\Windows\system32\drivers\downld\14836131.exe
C:\Windows\system32\drivers\downld\166796.exe
C:\Windows\system32\drivers\downld\167498.exe
C:\Windows\system32\drivers\downld\185812.exe
C:\Windows\system32\drivers\downld\202551.exe
C:\Windows\system32\drivers\downld\209228.exe
C:\Windows\system32\drivers\downld\212910.exe
C:\Windows\system32\drivers\downld\254562.exe
C:\Windows\system32\drivers\downld\258010.exe
C:\Windows\system32\drivers\downld\276511.exe
C:\Windows\system32\drivers\downld\290146.exe
C:\Windows\system32\drivers\downld\29261856.exe
C:\Windows\system32\drivers\downld\29262495.exe
C:\Windows\system32\drivers\downld\29273774.exe
C:\Windows\system32\drivers\downld\29457933.exe
C:\Windows\system32\drivers\downld\29460898.exe
C:\Windows\system32\drivers\downld\29463908.exe
C:\Windows\system32\drivers\downld\29501130.exe
C:\Windows\system32\drivers\downld\29508291.exe
C:\Windows\system32\drivers\downld\29523813.exe
C:\Windows\system32\drivers\downld\29534343.exe
C:\Windows\system32\drivers\downld\43947884.exe
C:\Windows\system32\drivers\downld\43959818.exe
C:\Windows\system32\drivers\downld\43960598.exe
C:\Windows\system32\drivers\downld\43973998.exe
C:\Windows\system32\drivers\downld\43998693.exe
C:\Windows\system32\drivers\downld\44001033.exe
C:\Windows\system32\drivers\downld\44003701.exe
C:\Windows\system32\drivers\downld\44038083.exe
C:\Windows\system32\drivers\downld\44045337.exe
C:\Windows\system32\drivers\downld\44063293.exe
C:\Windows\system32\drivers\downld\44075726.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA


((((((((((((((((((((((((( Files Created from 2008-09-18 to 2008-10-18 )))))))))))))))))))))))))))))))
.

2008-10-18 04:34 . 2008-09-15 12:10 86,016 --a------ C:\Windows\cmstp.exe
2008-10-18 04:31 . 2008-09-15 12:10 86,016 --a------ C:\Windows\system\cmstp.exe
2008-09-20 21:05 . 2008-09-20 21:11 <DIR> d-------- C:\Program Files\MyMobster
2008-09-20 21:05 . 1998-06-24 00:00 108,336 --a------ C:\Windows\System32\MSWINSCK.OCX
2008-09-19 03:35 . 2008-09-19 03:42 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-09-19 03:35 . 2008-09-19 03:42 <DIR> d-------- C:\ProgramData\Lavasoft
2008-09-19 03:35 . 2008-09-19 03:35 <DIR> d-------- C:\Program Files\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-18 09:31 --------- d-----w C:\Users\George\AppData\Roaming\DNA
2008-09-19 08:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-15 17:10 86,016 ----a-w C:\Users\George\AppData\Roaming\clipsrv.exe
2008-09-14 23:34 --------- d-----w C:\Program Files\DNA
2008-09-12 21:23 --------- d-----w C:\ProgramData\BitDefender
2008-09-12 20:48 --------- d-----w C:\Users\George\AppData\Roaming\BitDefender
2008-09-12 20:48 --------- d-----w C:\Program Files\Common Files\BitDefender
2008-09-12 20:47 --------- d-----w C:\Program Files\BitDefender
2008-09-12 20:44 73,752 ----a-w C:\Program Files\Uninstall.exe
2008-09-12 20:44 --------- d-----w C:\Program Files\webserver
2008-09-12 19:39 --------- d-----w C:\Users\George\AppData\Roaming\BitTorrent
2008-09-10 07:18 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-10 07:15 --------- d-----w C:\Program Files\Microsoft Works
2008-09-10 07:14 --------- d-----w C:\Program Files\MSBuild
2008-09-10 07:11 --------- d-----w C:\Program Files\Microsoft.NET
2008-09-10 07:07 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-09-09 17:43 --------- d-----w C:\Program Files\BitTorrent
2008-09-07 08:21 --------- d-----w C:\Program Files\Trend Micro
2008-09-06 17:53 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-09-06 16:43 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-26 04:34 --------- d-----w C:\Program Files\InterActual
2008-08-01 17:41 5,480,448 ----a-w C:\Program Files\emule.exe
2008-08-01 17:22 7,096 ----a-w C:\Program Files\changelog.txt
2008-08-01 17:21 7,774 ----a-w C:\Program Files\changelog.ger.txt
2008-07-29 14:23 15,397 ----a-w C:\Program Files\Template.eMuleSkin.ini
2008-07-09 10:11 174 --sha-w C:\Program Files\desktop.ini
2008-07-03 09:52 13,050 ----a-w C:\Program Files\readme.txt
2008-04-12 18:10 688 ----a-w C:\Program Files\Template.Notifier.ini
2007-04-30 16:47 72,220 ----a-w C:\Program Files\eMule Light.tmpl
2006-07-03 11:26 115,247 ----a-w C:\Program Files\eMule.tmpl
2006-03-22 21:12 270,336 ----a-w C:\Program Files\LinkCreator.exe
2002-10-08 16:10 18,401 ----a-w C:\Program Files\license-GER.txt
2002-10-08 16:10 14,971 ----a-w C:\Program Files\license.txt
2007-06-26 05:37 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-06-26 05:37 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-06-26 05:37 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-09-17 289088]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-14 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 282624]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-17 86016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-17 81920]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-17 8497696]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe" [2008-10-02 716800]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe" [2008-08-10 69632]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 C:\Windows\sttray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-07 839688]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-05-13 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 125440]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2006-11-12 446976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"rsvp"="C:\Users\George\AppData\Local\Temp\rsvp.exe" [2008-09-15 86016]

[HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]
"ClipSrv"="C:\Users\George\AppData\Roaming\clipsrv.exe" [2008-09-15 86016]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-04-06 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\Windows\cmstp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3262782788-3064470344-2388723307-1000]
"EnableNotificationsRef"=dword:00000007

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8332EAA3-6358-40C8-B6F9-5408B2C585B3}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{A7EC7631-BDD8-4ABC-AADD-B62137F9BF63}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{23BFE613-013E-42FD-852C-6F070CDA10A6}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{7D4A0F58-0789-4D22-8684-68F37C69B300}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"TCP Query User{58EFEC54-ADF8-4427-B72E-EC8A089D312C}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{EC5DB61B-58AC-430D-8057-43004126BFF6}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"TCP Query User{853B8396-9615-4619-815D-81FC38B1AA84}C:\\users\\george\\appdata\\local\\temp\\29exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\29exinjs.a9.exe:29exinjs.a9.exe
"UDP Query User{F7AE8BC7-F9E0-4E6E-A161-883DC2DF8FB1}C:\\users\\george\\appdata\\local\\temp\\29exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\29exinjs.a9.exe:29exinjs.a9.exe
"{EE9A6F65-6C00-4970-AF1C-F699428DDC77}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{8BE193E7-7033-4CFC-BBEF-C7B398719B9E}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{FBF9E69A-D8A9-4B63-B87B-D1F37EDD0777}C:\\users\\george\\appdata\\local\\temp\\57exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\57exinjs.a9.exe:57exinjs.a9.exe
"UDP Query User{488F1D21-4D25-4132-B125-BB6AE4B2E2A4}C:\\users\\george\\appdata\\local\\temp\\57exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\57exinjs.a9.exe:57exinjs.a9.exe
"TCP Query User{31F58FB0-8425-4E36-812F-A5A8A55B780A}C:\\users\\george\\appdata\\local\\temp\\39exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\39exinjs.a9.exe:39exinjs.a9.exe
"UDP Query User{67A7EBE3-5344-4735-8FBC-D894B88BF117}C:\\users\\george\\appdata\\local\\temp\\39exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\39exinjs.a9.exe:39exinjs.a9.exe
"TCP Query User{CAB835BE-1A5A-4406-897F-6EAEB01E8E8E}C:\\users\\george\\appdata\\local\\temp\\43exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\43exinjs.a9.exe:43exinjs.a9.exe
"UDP Query User{F51EDF45-D479-4A3B-9E4A-481DAB10DC0F}C:\\users\\george\\appdata\\local\\temp\\43exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\43exinjs.a9.exe:43exinjs.a9.exe
"{9C2B9D03-6AF8-4868-91A8-44C6C7CD6392}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{1826E044-F4B5-43F0-8355-B59F4B385E8D}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"TCP Query User{14259E23-BFFE-46FF-A636-7AD9B1985C73}C:\\users\\george\\appdata\\local\\temp\\54exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\54exinjs.a9.exe:54exinjs.a9.exe
"UDP Query User{A0C60F53-DA63-4246-A0D1-42BB4A0BF95E}C:\\users\\george\\appdata\\local\\temp\\54exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\54exinjs.a9.exe:54exinjs.a9.exe
"TCP Query User{66DD9FF2-06BD-43F3-B61C-996638F7158A}C:\\users\\george\\appdata\\local\\temp\\15exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\15exinjs.a9.exe:15exinjs.a9.exe
"UDP Query User{9FD7CC1B-3789-4518-B72A-5622F100C0E6}C:\\users\\george\\appdata\\local\\temp\\15exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\15exinjs.a9.exe:15exinjs.a9.exe
"TCP Query User{42310FEB-A596-492C-A0C2-0B71BF737ABC}C:\\users\\george\\appdata\\local\\temp\\19exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\19exinjs.a9.exe:19exinjs.a9.exe
"UDP Query User{00780FFB-0BA5-4292-9AC8-9EA93E36EE4B}C:\\users\\george\\appdata\\local\\temp\\19exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\19exinjs.a9.exe:19exinjs.a9.exe
"TCP Query User{41F68E03-A101-4DFE-A0F1-937748B40D1E}C:\\program files\\dell games\\jeopardy\\jeopardy!.exe"= UDP:C:\program files\dell games\jeopardy\jeopardy!.exe:JEOPARDY!
"UDP Query User{A20216E8-8582-4229-9B44-4CC0D1A2B68B}C:\\program files\\dell games\\jeopardy\\jeopardy!.exe"= TCP:C:\program files\dell games\jeopardy\jeopardy!.exe:JEOPARDY!
"TCP Query User{D0CF7977-A8CF-4058-87A2-49F9FC5A3364}C:\\users\\george\\appdata\\local\\temp\\20exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\20exinjs.a9.exe:20exinjs.a9.exe
"UDP Query User{43B69B4E-394F-4D4C-9004-022D10077E1E}C:\\users\\george\\appdata\\local\\temp\\20exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\20exinjs.a9.exe:20exinjs.a9.exe
"{E6CFEB10-CCD9-4FAE-AA20-758327D1E441}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{7E791B8E-9A8D-4EB8-96D6-0DB4403BFB6C}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"TCP Query User{7C40E5A1-AD35-458A-82AE-E4595E8C99BD}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{2C721DED-503D-4191-B283-F9F319BB2037}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{AAC3F399-D0A7-4261-BF7A-6506B423DC11}C:\\users\\george\\appdata\\local\\temp\\16exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\16exinjs.a9.exe:16exinjs.a9.exe
"UDP Query User{A54EB151-FF09-47A8-A30D-F4A77347FE15}C:\\users\\george\\appdata\\local\\temp\\16exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\16exinjs.a9.exe:16exinjs.a9.exe
"TCP Query User{F4F80B9D-CE13-47FB-A9FB-0617EAB4CF91}C:\\users\\george\\appdata\\local\\temp\\51exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\51exinjs.a9.exe:51exinjs.a9.exe
"UDP Query User{03119D6D-D926-4FA8-B250-67DBA027500F}C:\\users\\george\\appdata\\local\\temp\\51exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\51exinjs.a9.exe:51exinjs.a9.exe
"TCP Query User{7D6893B6-C900-4BA5-9197-A5CE07F4B929}C:\\users\\george\\appdata\\local\\temp\\11exml32.9.exe"= UDP:C:\users\george\appdata\local\temp\11exml32.9.exe:11exml32.9.exe
"UDP Query User{94EA806B-BFDA-4AC1-A13D-E4D45F8CA340}C:\\users\\george\\appdata\\local\\temp\\11exml32.9.exe"= TCP:C:\users\george\appdata\local\temp\11exml32.9.exe:11exml32.9.exe
"{6B578616-A37A-4506-919D-F78423B7E4FE}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4 Warlords
"{7E655958-0A86-4F8F-9547-FA5DC7CC3BDE}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4 Warlords
"{40C78FF2-2934-4C08-A839-43FD2E4FF6DF}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier's Civilization 4 Pitboss
"{D5C5AF33-BA04-412E-9322-467588DFE6BD}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier's Civilization 4 Pitboss
"{3948922C-5BFC-4B4B-A88D-745253678797}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{7C99D8E3-ED9D-4AFD-9FF5-189791432A6A}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{65CA6E5D-9E6A-4533-A700-ED9D5C551914}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{C169103E-17B3-47C2-A8FD-A4AE82C813B6}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"TCP Query User{2E92B54B-B6A1-4C40-A3E6-43EAD1A5963F}C:\\users\\george\\appdata\\local\\yahoo!\\messenger for vista\\yahoo.messenger.ymapp.exe"= UDP:C:\users\george\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe:yahoo.messenger.ymapp.exe
"UDP Query User{3C8ABB27-2E0D-4FA1-BD2A-9BE538BE4DA7}C:\\users\\george\\appdata\\local\\yahoo!\\messenger for vista\\yahoo.messenger.ymapp.exe"= TCP:C:\users\george\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe:yahoo.messenger.ymapp.exe
"TCP Query User{E8973D96-B99C-43E7-9836-C7513148AF90}C:\\users\\george\\desktop\\transfer\\steam\\steamapps\\hdc4@harddrivecafes.com\\counter-strike\\hl.exe"= UDP:C:\users\george\desktop\transfer\steam\steamapps\hdc4@harddrivecafes.com\counter-strike\hl.exe:Half-Life Launcher
"UDP Query User{DBFCDF16-952F-47C1-8CBA-AD03147637B0}C:\\users\\george\\desktop\\transfer\\steam\\steamapps\\hdc4@harddrivecafes.com\\counter-strike\\hl.exe"= TCP:C:\users\george\desktop\transfer\steam\steamapps\hdc4@harddrivecafes.com\counter-strike\hl.exe:Half-Life Launcher
"{C8051F15-74D6-4AEC-8201-BB9249D98216}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{FA5D3E9C-E0FB-4E8E-A19B-F761B5557139}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{814C6B8E-A74E-4EF6-8FB3-CB68DA54B151}"= C:\Program Files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"TCP Query User{2C672AD2-14EF-411B-9BEB-EDE1F03DBC1F}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{A92C7D82-728D-4B41-8280-1FB72DCA5ED2}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"TCP Query User{CFD962BD-4872-48EF-8AAF-738F2DE38002}C:\\program files\\ea games\\command and conquer generals\\patchget.dat"= UDP:C:\program files\ea games\command and conquer generals\patchget.dat:patchgrabber
"UDP Query User{C94C3E04-8406-4C4C-96EE-7D618D8C3DA7}C:\\program files\\ea games\\command and conquer generals\\patchget.dat"= TCP:C:\program files\ea games\command and conquer generals\patchget.dat:patchgrabber
"TCP Query User{F5DA80C0-7AEF-4814-A58D-668AE95C59E7}C:\\program files\\ea games\\command & conquer generals zero hour\\patchget.dat"= UDP:C:\program files\ea games\command & conquer generals zero hour\patchget.dat:patchgrabber
"UDP Query User{914ED5C4-D9C0-481C-B20C-E1199A3CB96C}C:\\program files\\ea games\\command & conquer generals zero hour\\patchget.dat"= TCP:C:\program files\ea games\command & conquer generals zero hour\patchget.dat:patchgrabber

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R3 bdfm;BDFM;C:\Windows\system32\drivers\bdfm.sys [2008-08-12 108864]
S3 Arrakis3;BitDefender Arrakis Server;C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c6c9e1f-e412-11db-afaa-806e6f6e6963}]
\shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c6c9e20-e412-11db-afaa-806e6f6e6963}]
\shell\AutoRun\command - F:\install.EXE id= ver=1.0.0.0
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-DellSupportCenter - C:\Program Files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-Corel Photo Downloader - C:\Program Files\Corel\Corel Snapfire Plus\PhotoDownloader.exe
HKCU-Explorer_Run-DllHst - C:\Users\George\LOCALS~1\APPLIC~1\dllhst3g.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O16 -: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
C:\Windows\Downloaded Program Files\PogoWebLauncher.ocx

O16 -: {64D01C7F-810D-446E-A07E-456746835644} - hxxp://games.myspace.com/gameshell/games/channel--110343720/lc--en/room--5a2b0d4a-9bfb-4f2c-bfe0-108b8b4b0c26/online/abc_island/en/abcisland.cab
C:\Windows\Downloaded Program Files\abcisland.inf
C:\Windows\Downloaded Program Files\Resource.tdf
C:\Windows\Downloaded Program Files\Music.mid
C:\Windows\Downloaded Program Files\Interface.mid
C:\Windows\Downloaded Program Files\abcisland.dll

O16 -: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
C:\Windows\Downloaded Program Files\OberonGameHost_dbg.inf
C:\Windows\Downloaded Program Files\OberonGameHost.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-18 04:34:09
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@rad.live[3].txt 880 bytes
C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@by137w.bay137.mail.live[1].txt
C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies\george@interclick[2].txt 1221 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Windows\System32\audiodg.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\System32\stacsv.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2008-10-18 4:51:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-18 09:50:21

Pre-Run: 148,675,100,672 bytes free
Post-Run: 149,452,136,448 bytes free

282 --- E O F --- 2008-08-24 06:45:23

#8 bammbamm21

bammbamm21
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:menasha, wi
  • Local time:07:43 AM

Posted 19 October 2008 - 10:55 PM

also after running combofix now my desktop is completely black and i cant change it. also all the preview icons in all the folders dont show up, just the name.

Attached Files



#9 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:01:43 PM

Posted 20 October 2008 - 10:05 AM

Hi bammbamm21

sorry about the wait. took longer to recover then i originally thought

Not a problem, hope you feel better now.

im not sure about the recovery console because i have vista

That's ok.

Step 1

after running combofix now my desktop is completely black and i cant change it.

Maybe some of the malware has knocked out explorer.exe let's see if this get's things back to normal.

Press the 3 keyboard keys... ctrl-alt-del.
This will bring up the Task Manager. (In some cases it brings up the Windows Security dialog, but you can click on the Task Manager button from there to go where we need to be.)

Once in the Task Manager, make sure you are on the "Processes" tab and then click on "File" in the Task Manager menu. Then select "New Task (Run...)" and type "explorer.exe" (without the quotes) in the "open" field. Then click ok.
See if this helps if it does, go on to the next step.

Step 2
Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
File::
C:\Users\George\AppData\Roaming\clipsrv.exe
C:\Users\George\AppData\Local\Temp\rsvp.exe
C:\users\george\appdata\local\temp\29exinjs.a9.exe
C:\users\george\appdata\local\temp\51exinjs.a9.exe
C:\users\george\appdata\local\temp\51exinjs.a9.exe
C:\users\george\appdata\local\temp\11exml32.9.exe
C:\Windows\cmstp.exe
C:\Windows\system\cmstp.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"rsvp"=-
[HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]
"ClipSrv"=-
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.
Posted Image

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

In your next reply, please submit:
New Combofix.txt
New Hjt log

Thanks.

BBPP6nz.png


#10 bammbamm21

bammbamm21
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:menasha, wi
  • Local time:07:43 AM

Posted 20 October 2008 - 12:04 PM

thank you for the wish of well being. much appreciated. i am feeling better. before running combofix i ended explorer and then restarted it to no avail. i ran cf again and when it came back i lost my entire desktop. nothing but black. i brought up the task manager and explorer wasnt running at all so i restarted it and now its back to normal. thank you.

the combofix file was 445 pages long in word and just under 70,000 words long and the forum wont let me make a post that big. 90% of it was in the snapshot@2008-10-18_ 4.47.53.99 section. a lot of it was microsoft stuff so i looked up updates and i had microsoft windows vista service pack 1 installed overnight and im assuming thats what all the new files are from. how would you like me to post that file? here is the hjt log though





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:42 AM, on 10/20/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\sttray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKLM\..\Policies\Explorer\Run: [MqtgSVC] C:\Users\George\AppData\Roaming\MICROS~1\mqtgsvc.exe /waitservice
O4 - HKCU\..\Policies\Explorer\Run: [MqtgSVC] C:\Users\George\AppData\Roaming\MICROS~1\mqtgsvc.exe /waitservice
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [Esent Utl] C:\Users\George\AppData\Roaming\MICROS~1\esentutl.exe /waitservice (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [Esent Utl] C:\Users\George\AppData\Roaming\MICROS~1\esentutl.exe /waitservice (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {64D01C7F-810D-446E-A07E-456746835644} (AtlBoxWordCtlAttrib Class) - http://games.myspace.com/gameshell/games/c...n/abcisland.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8197 bytes

#11 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:01:43 PM

Posted 20 October 2008 - 01:02 PM

Hi bammbamm21

a lot of it was microsoft stuff

You are right, if you have just updated to Vista SP1..... there would be a lot of entries in the snapshot.
You can edit those out for the time being and post the rest.
If we need to go through them we know where they are.

Thanks.

Edit:
Btw, don't try and post the word version.... use Notepad... the same as posting your Hjt log.

Thanks

Edited by Starbuck, 20 October 2008 - 01:55 PM.

BBPP6nz.png


#12 bammbamm21

bammbamm21
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:menasha, wi
  • Local time:07:43 AM

Posted 20 October 2008 - 08:05 PM

by edit out the rest, do you mean post everything but the 3m report? i will post the notepad version. i only dropped it into word to see how large it was.

EDIT: i also now dont have sound while playing on pogo.com. as far as i can tell its only that site but its site wide and its not affecting anyone else on the site. that stopped working right after combofix ran. is it possible it killed something related to pogo? i tried deleting the pogo launcher located here: "C:\Windows\Downloaded Program Files" hoping that it would reinstall but it wont let me delete it. click delete and nothing happens. if i go to volume you can see the meter going up and down like sound should be playing, but nothing comes out. any help on that matter would be appreciated also. thank you.



ComboFix 08-10-17.01 - George 2008-10-20 11:11:01.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.421 [GMT -5:00]
Running from: C:\Users\George\Desktop\ComboFix.exe
Command switches used :: C:\Users\George\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\users\george\appdata\local\temp\11exml32.9.exe
C:\users\george\appdata\local\temp\29exinjs.a9.exe
C:\users\george\appdata\local\temp\51exinjs.a9.exe
C:\Users\George\AppData\Local\Temp\rsvp.exe
C:\Users\George\AppData\Roaming\clipsrv.exe
C:\Windows\cmstp.exe
C:\Windows\system\cmstp.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\George\AppData\Local\Temp\rsvp.exe
C:\Users\George\AppData\Roaming\clipsrv.exe
C:\Windows\cmstp.exe
C:\Windows\system\cmstp.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-20 to 2008-10-20 )))))))))))))))))))))))))))))))
.

2008-10-20 10:32 . 2008-10-20 10:32 <DIR> d-------- C:\PerfLogs
2008-10-20 02:58 . 2008-01-19 02:33 8,139,264 --a------ C:\Windows\System32\ssBranded.scr
2008-10-20 02:57 . 2008-01-19 02:34 6,103,040 --a------ C:\Windows\System32\chtbrkr.dll
2008-10-20 02:56 . 2008-01-19 01:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-10-20 02:55 . 2008-01-19 02:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll
2008-10-20 02:55 . 2008-01-19 02:36 357,888 --a------ C:\Windows\System32\wbemcomn.dll
2008-10-20 02:55 . 2008-01-19 02:34 305,152 --a------ C:\Windows\System32\msdelta.dll
2008-10-20 02:55 . 2008-01-19 02:34 258,560 --a------ C:\Windows\System32\dpx.dll
2008-10-20 02:55 . 2008-01-19 02:34 246,784 --a------ C:\Windows\System32\drvstore.dll
2008-10-20 02:55 . 2008-01-19 02:36 218,624 --a------ C:\Windows\System32\wdscore.dll
2008-10-20 02:55 . 2008-01-19 02:36 139,264 --a------ C:\Windows\System32\SmiInstaller.dll
2008-10-20 02:55 . 2008-01-19 02:33 130,560 --a------ C:\Windows\System32\PkgMgr.exe
2008-10-20 02:55 . 2008-01-19 02:36 129,536 --a------ C:\Windows\System32\sqmapi.dll
2008-10-20 02:55 . 2008-01-19 02:35 35,328 --a------ C:\Windows\System32\mspatcha.dll
2008-10-19 02:04 . 2008-07-30 20:13 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-10-19 02:04 . 2008-09-18 00:09 3,601,464 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-10-19 02:04 . 2008-09-18 00:09 3,549,240 --a------ C:\Windows\System32\ntoskrnl.exe
2008-10-19 02:04 . 2008-09-17 21:16 2,032,640 --a------ C:\Windows\System32\win32k.sys
2008-10-19 02:04 . 2008-06-25 22:29 303,616 --a------ C:\Windows\System32\wmpeffects.dll
2008-10-19 02:04 . 2008-07-30 22:32 28,160 --a------ C:\Windows\System32\Apphlpdm.dll
2008-10-18 04:59 . 2008-10-18 04:59 1,905 --a------ C:\Windows\diagwrn.xml
2008-10-18 04:59 . 2008-10-18 04:59 1,905 --a------ C:\Windows\diagerr.xml
2008-10-18 04:48 . 2008-10-01 20:32 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-10-18 04:48 . 2008-10-01 22:49 827,392 --a------ C:\Windows\System32\wininet.dll
2008-10-18 04:48 . 2008-08-26 20:06 288,768 --a------ C:\Windows\System32\drivers\srv.sys
2008-09-20 21:05 . 2008-09-20 21:11 <DIR> d-------- C:\Program Files\MyMobster
2008-09-20 21:05 . 1998-06-24 00:00 108,336 --a------ C:\Windows\System32\MSWINSCK.OCX




((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-09-17 289088]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-14 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 282624]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-17 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-17 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-17 81920]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 C:\Windows\sttray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 125952]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2006-11-12 446976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"MqtgSVC"="C:\Users\George\AppData\Roaming\MICROS~1\mqtgsvc.exe" [2008-09-15 86016]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"MqtgSVC"="C:\Users\George\AppData\Roaming\MICROS~1\mqtgsvc.exe" [2008-09-15 86016]

[HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Esent Utl"="C:\Users\George\AppData\Roaming\MICROS~1\esentutl.exe" [2008-09-15 86016]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-04-06 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3262782788-3064470344-2388723307-1000]
"EnableNotificationsRef"=dword:00000007

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8332EAA3-6358-40C8-B6F9-5408B2C585B3}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{A7EC7631-BDD8-4ABC-AADD-B62137F9BF63}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{23BFE613-013E-42FD-852C-6F070CDA10A6}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{7D4A0F58-0789-4D22-8684-68F37C69B300}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"TCP Query User{58EFEC54-ADF8-4427-B72E-EC8A089D312C}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{EC5DB61B-58AC-430D-8057-43004126BFF6}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"TCP Query User{853B8396-9615-4619-815D-81FC38B1AA84}C:\\users\\george\\appdata\\local\\temp\\29exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\29exinjs.a9.exe:29exinjs.a9.exe
"UDP Query User{F7AE8BC7-F9E0-4E6E-A161-883DC2DF8FB1}C:\\users\\george\\appdata\\local\\temp\\29exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\29exinjs.a9.exe:29exinjs.a9.exe
"{EE9A6F65-6C00-4970-AF1C-F699428DDC77}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{8BE193E7-7033-4CFC-BBEF-C7B398719B9E}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{FBF9E69A-D8A9-4B63-B87B-D1F37EDD0777}C:\\users\\george\\appdata\\local\\temp\\57exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\57exinjs.a9.exe:57exinjs.a9.exe
"UDP Query User{488F1D21-4D25-4132-B125-BB6AE4B2E2A4}C:\\users\\george\\appdata\\local\\temp\\57exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\57exinjs.a9.exe:57exinjs.a9.exe
"TCP Query User{31F58FB0-8425-4E36-812F-A5A8A55B780A}C:\\users\\george\\appdata\\local\\temp\\39exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\39exinjs.a9.exe:39exinjs.a9.exe
"UDP Query User{67A7EBE3-5344-4735-8FBC-D894B88BF117}C:\\users\\george\\appdata\\local\\temp\\39exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\39exinjs.a9.exe:39exinjs.a9.exe
"TCP Query User{CAB835BE-1A5A-4406-897F-6EAEB01E8E8E}C:\\users\\george\\appdata\\local\\temp\\43exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\43exinjs.a9.exe:43exinjs.a9.exe
"UDP Query User{F51EDF45-D479-4A3B-9E4A-481DAB10DC0F}C:\\users\\george\\appdata\\local\\temp\\43exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\43exinjs.a9.exe:43exinjs.a9.exe
"{9C2B9D03-6AF8-4868-91A8-44C6C7CD6392}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{1826E044-F4B5-43F0-8355-B59F4B385E8D}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"TCP Query User{14259E23-BFFE-46FF-A636-7AD9B1985C73}C:\\users\\george\\appdata\\local\\temp\\54exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\54exinjs.a9.exe:54exinjs.a9.exe
"UDP Query User{A0C60F53-DA63-4246-A0D1-42BB4A0BF95E}C:\\users\\george\\appdata\\local\\temp\\54exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\54exinjs.a9.exe:54exinjs.a9.exe
"TCP Query User{66DD9FF2-06BD-43F3-B61C-996638F7158A}C:\\users\\george\\appdata\\local\\temp\\15exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\15exinjs.a9.exe:15exinjs.a9.exe
"UDP Query User{9FD7CC1B-3789-4518-B72A-5622F100C0E6}C:\\users\\george\\appdata\\local\\temp\\15exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\15exinjs.a9.exe:15exinjs.a9.exe
"TCP Query User{42310FEB-A596-492C-A0C2-0B71BF737ABC}C:\\users\\george\\appdata\\local\\temp\\19exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\19exinjs.a9.exe:19exinjs.a9.exe
"UDP Query User{00780FFB-0BA5-4292-9AC8-9EA93E36EE4B}C:\\users\\george\\appdata\\local\\temp\\19exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\19exinjs.a9.exe:19exinjs.a9.exe
"TCP Query User{41F68E03-A101-4DFE-A0F1-937748B40D1E}C:\\program files\\dell games\\jeopardy\\jeopardy!.exe"= UDP:C:\program files\dell games\jeopardy\jeopardy!.exe:JEOPARDY!
"UDP Query User{A20216E8-8582-4229-9B44-4CC0D1A2B68B}C:\\program files\\dell games\\jeopardy\\jeopardy!.exe"= TCP:C:\program files\dell games\jeopardy\jeopardy!.exe:JEOPARDY!
"TCP Query User{D0CF7977-A8CF-4058-87A2-49F9FC5A3364}C:\\users\\george\\appdata\\local\\temp\\20exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\20exinjs.a9.exe:20exinjs.a9.exe
"UDP Query User{43B69B4E-394F-4D4C-9004-022D10077E1E}C:\\users\\george\\appdata\\local\\temp\\20exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\20exinjs.a9.exe:20exinjs.a9.exe
"{E6CFEB10-CCD9-4FAE-AA20-758327D1E441}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{7E791B8E-9A8D-4EB8-96D6-0DB4403BFB6C}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"TCP Query User{7C40E5A1-AD35-458A-82AE-E4595E8C99BD}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{2C721DED-503D-4191-B283-F9F319BB2037}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{AAC3F399-D0A7-4261-BF7A-6506B423DC11}C:\\users\\george\\appdata\\local\\temp\\16exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\16exinjs.a9.exe:16exinjs.a9.exe
"UDP Query User{A54EB151-FF09-47A8-A30D-F4A77347FE15}C:\\users\\george\\appdata\\local\\temp\\16exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\16exinjs.a9.exe:16exinjs.a9.exe
"TCP Query User{F4F80B9D-CE13-47FB-A9FB-0617EAB4CF91}C:\\users\\george\\appdata\\local\\temp\\51exinjs.a9.exe"= UDP:C:\users\george\appdata\local\temp\51exinjs.a9.exe:51exinjs.a9.exe
"UDP Query User{03119D6D-D926-4FA8-B250-67DBA027500F}C:\\users\\george\\appdata\\local\\temp\\51exinjs.a9.exe"= TCP:C:\users\george\appdata\local\temp\51exinjs.a9.exe:51exinjs.a9.exe
"TCP Query User{7D6893B6-C900-4BA5-9197-A5CE07F4B929}C:\\users\\george\\appdata\\local\\temp\\11exml32.9.exe"= UDP:C:\users\george\appdata\local\temp\11exml32.9.exe:11exml32.9.exe
"UDP Query User{94EA806B-BFDA-4AC1-A13D-E4D45F8CA340}C:\\users\\george\\appdata\\local\\temp\\11exml32.9.exe"= TCP:C:\users\george\appdata\local\temp\11exml32.9.exe:11exml32.9.exe
"{6B578616-A37A-4506-919D-F78423B7E4FE}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4 Warlords
"{7E655958-0A86-4F8F-9547-FA5DC7CC3BDE}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4 Warlords
"{40C78FF2-2934-4C08-A839-43FD2E4FF6DF}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier's Civilization 4 Pitboss
"{D5C5AF33-BA04-412E-9322-467588DFE6BD}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier's Civilization 4 Pitboss
"{3948922C-5BFC-4B4B-A88D-745253678797}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{7C99D8E3-ED9D-4AFD-9FF5-189791432A6A}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{65CA6E5D-9E6A-4533-A700-ED9D5C551914}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{C169103E-17B3-47C2-A8FD-A4AE82C813B6}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"TCP Query User{2E92B54B-B6A1-4C40-A3E6-43EAD1A5963F}C:\\users\\george\\appdata\\local\\yahoo!\\messenger for vista\\yahoo.messenger.ymapp.exe"= UDP:C:\users\george\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe:yahoo.messenger.ymapp.exe
"UDP Query User{3C8ABB27-2E0D-4FA1-BD2A-9BE538BE4DA7}C:\\users\\george\\appdata\\local\\yahoo!\\messenger for vista\\yahoo.messenger.ymapp.exe"= TCP:C:\users\george\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe:yahoo.messenger.ymapp.exe
"TCP Query User{E8973D96-B99C-43E7-9836-C7513148AF90}C:\\users\\george\\desktop\\transfer\\steam\\steamapps\\hdc4@harddrivecafes.com\\counter-strike\\hl.exe"= UDP:C:\users\george\desktop\transfer\steam\steamapps\hdc4@harddrivecafes.com\counter-strike\hl.exe:Half-Life Launcher
"UDP Query User{DBFCDF16-952F-47C1-8CBA-AD03147637B0}C:\\users\\george\\desktop\\transfer\\steam\\steamapps\\hdc4@harddrivecafes.com\\counter-strike\\hl.exe"= TCP:C:\users\george\desktop\transfer\steam\steamapps\hdc4@harddrivecafes.com\counter-strike\hl.exe:Half-Life Launcher
"{C8051F15-74D6-4AEC-8201-BB9249D98216}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{FA5D3E9C-E0FB-4E8E-A19B-F761B5557139}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{814C6B8E-A74E-4EF6-8FB3-CB68DA54B151}"= C:\Program Files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"TCP Query User{2C672AD2-14EF-411B-9BEB-EDE1F03DBC1F}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{A92C7D82-728D-4B41-8280-1FB72DCA5ED2}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"TCP Query User{CFD962BD-4872-48EF-8AAF-738F2DE38002}C:\\program files\\ea games\\command and conquer generals\\patchget.dat"= UDP:C:\program files\ea games\command and conquer generals\patchget.dat:patchgrabber
"UDP Query User{C94C3E04-8406-4C4C-96EE-7D618D8C3DA7}C:\\program files\\ea games\\command and conquer generals\\patchget.dat"= TCP:C:\program files\ea games\command and conquer generals\patchget.dat:patchgrabber
"TCP Query User{F5DA80C0-7AEF-4814-A58D-668AE95C59E7}C:\\program files\\ea games\\command & conquer generals zero hour\\patchget.dat"= UDP:C:\program files\ea games\command & conquer generals zero hour\patchget.dat:patchgrabber
"UDP Query User{914ED5C4-D9C0-481C-B20C-E1199A3CB96C}C:\\program files\\ea games\\command & conquer generals zero hour\\patchget.dat"= TCP:C:\program files\ea games\command & conquer generals zero hour\patchget.dat:patchgrabber

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-08-14 809296]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-05-23 87288]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c6c9e20-e412-11db-afaa-806e6f6e6963}]
\shell\AutoRun\command - F:\setup.exe

*Newly Created Service* - CATCHME
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-20 11:20:37
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-20 11:24:25
ComboFix-quarantined-files.txt 2008-10-20 16:24:07
ComboFix2.txt 2008-10-18 09:51:03

Pre-Run: 179,364,372,480 bytes free
Post-Run: 179,381,428,224 bytes free

7828 --- E O F --- 2008-10-20 14:38:33

Edited by bammbamm21, 21 October 2008 - 04:07 AM.


#13 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:01:43 PM

Posted 21 October 2008 - 11:14 AM

Hi bammbamm21

I wouldn't worry too much about some of the other programs just yet.
Getting rid of this malware may cause a few glitchs. We'll sort those out at the end.

Step 1
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Step 2
Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please click OTMoveIt3 and then click >> run. (Note: If you are running Vista, right-click on OTMoveIt3 and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
    "MqtgSVC"=-
    [HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
    "MqtgSVC"=-
    [HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]
    "Esent Utl"=-
    
    :Files
    C:\Users\George\AppData\Roaming\MICROS~1\mqtgsvc.exe
    C:\Users\George\AppData\Roaming\MICROS~1\esentutl.exe
    
    :Commands
    [EmptyTemp]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Your system will reboot after running OTMove It, i've set the script to do this.... so don't worry.
Wait until OTMoveIt has rebooted and finished, then:

Step 3
Reboot in to 'Safe Mode'

Restart your computer.

When the computer starts you will see your computer's hardware being listed. When you see this information start to gently tap the F8 key repeatedly until you are presented with the Windows Vista Advanced Boot Options.
Select the Safe Mode option using the arrow keys.
Then press the enter key on your keyboard to boot into Vista Safe Mode.
When Windows starts you will be at a typical logon screen. Logon to your computer and Vista will enter Safe mode.

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
In your next reply, please submit:
OTMoveIt report
DrWebCureIt Report
and a new Hjt log

Thanks.

Edited by Starbuck, 21 October 2008 - 11:20 AM.

BBPP6nz.png


#14 bammbamm21

bammbamm21
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:menasha, wi
  • Local time:07:43 AM

Posted 22 October 2008 - 07:14 AM

hello starbuck. all 3 tests ran fine(i think) and here is the rports as requested.



Error: Unable to interpret <Reg> in the current context!
Error: Unable to interpret <[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]> in the current context!
Error: Unable to interpret <"MqtgSVC"=-> in the current context!
Error: Unable to interpret <[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]> in the current context!
Error: Unable to interpret <"MqtgSVC"=-> in the current context!
Error: Unable to interpret <[HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]> in the current context!
Error: Unable to interpret <"Esent Utl"=-> in the current context!
========== FILES ==========
C:\Users\George\AppData\Roaming\MICROS~1\mqtgsvc.exe moved successfully.
C:\Users\George\AppData\Roaming\MICROS~1\esentutl.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\Users\George\AppData\Local\Temp\hsperfdata_George\26568 scheduled to be deleted on reboot.
File delete failed. C:\Users\George\AppData\Local\Temp\jar_cache42425.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10222008_004645

Files moved on Reboot...
File C:\Users\George\AppData\Local\Temp\hsperfdata_George\26568 not found!
C:\Users\George\AppData\Local\Temp\jar_cache42425.tmp moved successfully.




ComboFix.exe\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\George\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\George\Desktop;Archive contains infected objects;Moved.;
ComboFix.exe\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\George\DoctorWeb\Quarantine\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\George\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:12 AM, on 10/22/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\George\LOCALS~1\APPLIC~1\logman.exe
C:\Users\George\AppData\Local\Temp\~tmp\hmunmlc07\hmunmlc07.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\Users\George\LOCALS~1\APPLIC~1\logman.exe
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKLM\..\Policies\Explorer\Run: [MqtgSVC] C:\Users\George\AppData\Roaming\MICROS~1\mqtgsvc.exe /waitservice
O4 - HKCU\..\Policies\Explorer\Run: [MqtgSVC] C:\Users\George\AppData\Roaming\MICROS~1\mqtgsvc.exe /waitservice
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [Esent Utl] C:\Users\George\AppData\Roaming\MICROS~1\esentutl.exe /waitservice (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [Esent Utl] C:\Users\George\AppData\Roaming\MICROS~1\esentutl.exe /waitservice (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {64D01C7F-810D-446E-A07E-456746835644} (AtlBoxWordCtlAttrib Class) - http://games.myspace.com/gameshell/games/c...n/abcisland.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8384 bytes

#15 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:01:43 PM

Posted 22 October 2008 - 02:28 PM

Was there a proper report from DrWebCureIt ?

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users