Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help


  • This topic is locked This topic is locked
23 replies to this topic

#1 port55

port55

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 05 October 2008 - 10:28 PM

I made the mistake of downloading something off of limewire and now my laptop is screwed. please help i need this for school everyday and i cant even type. my ram is running at 100% and i have 2 gigs! it is affecting my internet very bad. i have done all of the the things asked before i posted this but it is not helping at all. here is the hijackthis log. thank you very much
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:11 PM, on 10/2/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\AGRSMMSG.exe
C:\Program Files\Function Key Controller\FKC.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Charter\InstaLAN\InstaLAN.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Tim\svchost.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FunctionKeyCtrl] C:\Program Files\Function Key Controller\FKC.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [InstaLAN] "C:\Program Files\Charter\InstaLAN\InstaLAN.exe" startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdcBase.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\qoMgebAp.dll,#1
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Host Process] C:\Users\Tim\svchost.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Tim\AppData\Local\Temp\ddcASjhE.dll,c
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Tim\AppData\Local\Temp\awtsroMe.dll,#1
O4 - HKCU\..\Run: [a4352ebc] rundll32.exe "C:\Users\Tim\AppData\Local\Temp\wjhbosli.dll",b
O4 - HKCU\..\Run: [BMa7061d20] Rundll32.exe "C:\Users\Tim\AppData\Local\Temp\qylccfej.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 6861 bytes

BC AdBot (Login to Remove)

 


#2 port55

port55
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 12 October 2008 - 09:32 AM

did i at least post this in the right place?

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 AM

Posted 14 October 2008 - 10:54 AM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

Yes this is the right place.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and Run OTViewIt
  • Please download OTViewIt by OldTimer to your desktop.
  • Double click on the OTViewIt.exe icon on your desktop. If you are using Windows Vista, right click the icon and select Run as Administrator.
  • Check the Scan All Users checkbox and leave Use Whitelist checked. Set the File Age to 30 days.
  • Click on the Run Scan button. Two reports that are located in the same location as OTViewIt will open.OTViewIt.txt <-- Will be opened
    Extra.txt <-- Will be minimized
Copy and Paste the logs into your next reply.
Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 AM

Posted 19 October 2008 - 09:55 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 AM

Posted 25 October 2008 - 03:36 PM

Hello.

Topic is re-opened :thumbsup: .

Please post your logs.

With Regards,
The Panda

#6 port55

port55
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 25 October 2008 - 04:04 PM

OTViewIt logfile created on: 10/25/2008 3:52:02 PM - Run 2
OTViewIt by OldTimer - Version 1.0.18.0 Folder = C:\Users\Tim\Desktop
Windows Vista An unknown product (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16386)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.10 Gb Available Physical Memory | 55.10% Memory free
4.00 Gb Paging File | 3.08 Gb Available in Paging File | 77.04% Paging File free
Paging file location(s): ?:\pagefile.sys;

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 141.30 Gb Total Space | 48.26 Gb Free Space | 34.15% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TIM-PC
Current User Name: Tim
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2006/11/02 04:45:57 | 00,095,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wininit.exe
[2006/11/02 04:45:21 | 00,210,944 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\lsm.exe
[2006/11/02 04:45:45 | 02,592,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SLsvc.exe
[2008/10/03 01:21:13 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
[2004/03/04 11:30:48 | 00,311,296 | ---- | M] (Lexmark International, Inc.) -- C:\Windows\System32\LEXBCES.EXE
[2004/03/04 11:26:20 | 00,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\Windows\System32\LEXPPS.EXE
[2008/01/11 17:50:16 | 00,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
[2007/07/24 15:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
[2006/11/21 14:12:40 | 00,441,136 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
[2006/10/19 13:52:24 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
[2007/01/20 07:22:05 | 00,167,936 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe
[2007/02/10 05:29:48 | 00,242,544 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
[2007/02/10 05:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
[2006/11/02 07:34:46 | 00,287,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SearchIndexer.exe
[2008/02/26 22:08:50 | 29,183,504 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
[2006/11/02 04:45:48 | 00,166,400 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskeng.exe
[2006/11/02 04:45:48 | 00,166,400 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskeng.exe
[2006/11/02 04:45:04 | 00,083,456 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwm.exe
[2006/11/02 07:34:32 | 01,004,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
[2006/02/03 16:36:12 | 00,761,946 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[2006/02/15 17:51:08 | 00,088,365 | ---- | M] (Agere Systems) -- C:\Windows\AGRSMMSG.exe
[2006/05/25 16:49:00 | 00,049,152 | ---- | M] (Arima Computer Corp.) -- C:\Program Files\Function Key Controller\FKC.exe
[2006/11/23 15:10:42 | 00,056,928 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[2007/02/18 16:09:02 | 00,548,864 | ---- | M] (Affinegy LLC) -- C:\Program Files\Charter\InstaLAN\InstaLAN.exe
[2008/06/10 04:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
[2007/05/31 09:21:28 | 00,648,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\WindowsMobile\wmdcBase.exe
[2006/11/02 07:35:32 | 00,125,440 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehtray.exe
[2006/11/21 14:12:42 | 00,719,664 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
[2006/11/02 04:45:14 | 00,623,616 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
[2006/11/02 07:35:32 | 00,037,376 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehmsas.exe
[2006/11/02 04:45:13 | 00,288,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\ieuser.exe
[2006/11/02 04:45:37 | 00,044,544 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\rundll32.exe
[2006/11/21 16:09:04 | 01,589,248 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
[2006/11/02 04:45:48 | 00,166,400 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskeng.exe
[2006/11/02 04:45:49 | 00,026,112 | ---- | M] (Microsoft Corporation) -- C:\Windows\servicing\TrustedInstaller.exe
[2007/05/11 03:06:38 | 00,341,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
[2008/07/05 22:11:46 | 00,053,080 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wuauclt.exe
[2006/11/02 07:36:04 | 00,201,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
[2006/11/02 07:36:04 | 00,895,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe
[2006/11/02 07:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe
[2008/07/10 10:51:22 | 00,532,264 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
[2006/11/02 07:36:16 | 01,192,960 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sdclt.exe
[2006/11/02 04:45:14 | 00,623,616 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
[2008/10/25 15:31:59 | 00,421,888 | ---- | M] (OldTimer Tools) -- C:\Users\Tim\Desktop\OTViewIt.exe
[2006/11/02 07:34:43 | 00,204,288 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SearchProtocolHost.exe
[2006/11/02 07:34:44 | 00,076,288 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SearchFilterHost.exe

========== (O23) Win32 Services ==========

[2008/10/03 01:21:13 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Auto | Running])
[2008/01/11 17:50:16 | 00,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc [Auto | Running])
[2007/07/24 15:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
[2006/11/21 14:12:40 | 00,441,136 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe -- (btwdins [Auto | Running])
File not found -- -- (CertPropSvc [Unknown | Stopped])
[2006/11/02 01:34:11 | 00,059,392 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
File not found -- -- (DcomLaunch [Unknown | Running])
[2006/11/02 07:36:25 | 02,089,984 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dfsr.exe -- (DFSR [On_Demand | Stopped])
[2006/11/02 04:46:04 | 00,134,656 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dps.dll -- (DPS [Unknown | Running])
[2006/11/02 07:35:28 | 00,291,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehrecvr.exe -- (ehRecvr [On_Demand | Stopped])
[2006/11/02 07:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Running])
[2008/08/27 15:37:53 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
[2006/11/02 07:36:00 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2006/11/02 04:46:05 | 00,569,344 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\gpsvc.dll -- (gpsvc [Unknown | Running])
[2008/07/10 10:51:22 | 00,532,264 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
[2004/03/04 11:30:48 | 00,311,296 | ---- | M] (Lexmark International, Inc.) -- C:\Windows\System32\LEXBCES.EXE -- (LexBceS [Auto | Running])
[2006/10/19 13:52:24 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
[2006/11/02 08:04:14 | 00,000,000 | ---D | M] -- C:\Windows\System32\Msdtc -- (MSDTC [Unknown | Stopped])
[2008/02/26 22:08:50 | 29,183,504 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$MSSMLBIZ [On_Demand | Running])
[2005/10/14 02:50:20 | 00,045,272 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper [Disabled | Stopped])
[2006/11/10 19:18:02 | 00,774,144 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService [On_Demand | Stopped])
[2006/11/02 07:36:02 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2006/10/26 19:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
[2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007/01/20 07:22:05 | 00,167,936 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- (RichVideo [Auto | Running])
[2006/11/02 04:46:12 | 00,545,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\rpcss.dll -- (RpcSs [Unknown | Running])
[2006/11/02 04:46:12 | 00,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SCardSvr.dll -- (SCardSvr [Unknown | Stopped])
File not found -- -- (Schedule [Unknown | Running])
File not found -- -- (SCPolicySvc [Unknown | Stopped])
[2006/11/02 04:45:45 | 02,592,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SLsvc.exe -- (slsvc [Auto | Running])
[2006/11/02 04:45:46 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\snmptrap.exe -- (SNMPTRAP [On_Demand | Stopped])
[2007/02/10 05:29:48 | 00,242,544 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser [Auto | Running])
[2007/02/10 05:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter [Auto | Running])
[2006/11/02 04:45:50 | 00,035,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\UI0Detect.exe -- (UI0Detect [On_Demand | Stopped])
[2006/11/02 04:45:50 | 00,392,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\vds.exe -- (vds [On_Demand | Stopped])
File not found -- -- (WdiServiceHost [Unknown | Stopped])
File not found -- -- (WdiSystemHost [Unknown | Running])
[2006/11/02 07:36:04 | 00,895,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Running])
[2006/11/02 07:34:46 | 00,287,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SearchIndexer.exe -- (WSearch [Auto | Running])

========== Driver Services ==========

[2006/11/02 04:51:38 | 00,420,968 | ---- | M] (Adaptec, Inc.) -- C:\Windows\System32\drivers\adp94xx.sys -- (adp94xx [Disabled | Stopped])
[2006/11/02 04:51:32 | 00,297,576 | ---- | M] (Adaptec, Inc.) -- C:\Windows\System32\drivers\adpahci.sys -- (adpahci [Disabled | Stopped])
[2006/11/02 04:50:35 | 00,098,408 | ---- | M] (Adaptec, Inc.) -- C:\Windows\System32\drivers\adpu160m.sys -- (adpu160m [Disabled | Stopped])
[2006/11/02 04:51:00 | 00,147,048 | ---- | M] (Adaptec, Inc.) -- C:\Windows\System32\drivers\adpu320.sys -- (adpu320 [Disabled | Stopped])
[2005/06/07 16:53:46 | 00,152,960 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Stopped])
[2007/02/08 17:11:58 | 00,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\Windows\System32\drivers\AFGSp50.sys -- (AFGSp50 [On_Demand | Running])
[2006/02/15 16:26:18 | 01,153,728 | ---- | M] (Agere Systems) -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem [On_Demand | Running])
[2006/11/02 04:50:11 | 00,071,272 | ---- | M] (Adaptec, Inc.) -- C:\Windows\System32\drivers\djsvs.sys -- (aic78xx [Disabled | Stopped])
[2006/02/07 21:24:00 | 00,781,824 | ---- | M] (Airgo Networks, Inc.) -- C:\Windows\System32\drivers\TMIMO31P.sys -- (Airgo3P [On_Demand | Running])
[2006/11/02 04:49:20 | 00,014,952 | ---- | M] (Acer Laboratories Inc.) -- C:\Windows\System32\drivers\aliide.sys -- (aliide [Disabled | Stopped])
[2006/11/02 04:49:59 | 00,054,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\AMDAGP.SYS -- (amdagp [On_Demand | Stopped])
[2006/11/02 04:49:26 | 00,015,464 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\amdide.sys -- (amdide [Disabled | Stopped])
[2006/11/02 03:30:18 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\amdk7.sys -- (AmdK7 [Disabled | Stopped])
[2006/11/02 03:30:18 | 00,040,960 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\amdk8.sys -- (AmdK8 [On_Demand | Running])
[2006/11/02 04:50:09 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\System32\drivers\arc.sys -- (arc [Disabled | Stopped])
[2006/11/02 04:50:10 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\System32\drivers\arcsas.sys -- (arcsas [Disabled | Stopped])
[2006/11/02 03:31:12 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\bowser.sys -- (bowser [On_Demand | Running])
[2006/11/02 03:24:45 | 00,013,568 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\System32\drivers\BrFiltLo.sys -- (BrFiltLo [On_Demand | Stopped])
[2006/11/02 03:24:46 | 00,005,248 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\System32\drivers\BrFiltUp.sys -- (BrFiltUp [On_Demand | Stopped])
[2006/11/02 03:25:24 | 00,071,808 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\System32\drivers\BrSerId.sys -- (Brserid [Disabled | Stopped])
[2006/11/02 03:24:44 | 00,062,336 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\System32\drivers\BrSerWdm.sys -- (BrSerWdm [Disabled | Stopped])
[2006/11/02 03:24:44 | 00,012,160 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\System32\drivers\BrUsbMdm.sys -- (BrUsbMdm [Disabled | Stopped])
[2006/11/02 03:24:47 | 00,011,904 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\System32\drivers\BrUsbSer.sys -- (BrUsbSer [On_Demand | Stopped])
[2006/11/02 03:55:23 | 00,019,456 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\bthenum.sys -- (BthEnum [On_Demand | Running])
[2006/11/02 03:55:23 | 00,039,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\bthmodem.sys -- (BTHMODEM [On_Demand | Running])
[2006/11/02 03:55:27 | 00,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\bthpan.sys -- (BthPan [On_Demand | Running])
[2006/11/02 03:55:23 | 00,220,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\bthport.sys -- (BTHPORT [On_Demand | Stopped])
[2006/11/02 03:55:20 | 00,029,184 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\BTHUSB.SYS -- (BTHUSB [On_Demand | Running])
[2006/11/20 16:59:00 | 00,078,128 | ---- | M] (Broadcom Corporation.) -- C:\Windows\System32\drivers\btwaudio.sys -- (btwaudio [On_Demand | Running])
[2006/11/20 16:59:00 | 00,080,688 | ---- | M] (Broadcom Corporation.) -- C:\Windows\System32\drivers\btwavdt.sys -- (btwavdt [On_Demand | Running])
[2006/11/20 16:59:00 | 00,016,560 | ---- | M] (Broadcom Corporation.) -- C:\Windows\System32\drivers\btwrchid.sys -- (btwrchid [On_Demand | Running])
[2006/11/20 18:49:56 | 00,806,320 | ---- | M] (Bison Electronics. Inc. ) -- C:\Windows\System32\drivers\BisonCam.sys -- (Cam5603D [On_Demand | Running])
[2006/11/02 03:55:08 | 00,035,328 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\circlass.sys -- (circlass [Disabled | Stopped])
[2006/11/02 04:51:25 | 00,221,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\clfs.sys -- (CLFS [Unknown | Running])
[2006/11/02 04:49:28 | 00,016,488 | ---- | M] (CMD Technology, Inc.) -- C:\Windows\System32\drivers\cmdide.sys -- (cmdide [Disabled | Stopped])
[2006/11/02 04:49:43 | 00,022,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\crcdisk.sys -- (crcdisk [Boot | Running])
[2006/11/02 03:30:18 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\crusoe.sys -- (Crusoe [Disabled | Stopped])
[2006/11/02 03:31:04 | 00,074,752 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\dfsc.sys -- (DfsC [System | Running])
[2006/11/02 03:38:51 | 00,617,472 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\dxgkrnl.sys -- (DXGKrnl [On_Demand | Running])
[2006/11/02 02:30:54 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60 [On_Demand | Stopped])
[2006/11/02 07:34:35 | 00,132,200 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\ecache.sys -- (Ecache [Boot | Running])
[2006/11/02 04:51:34 | 00,316,520 | ---- | M] (Emulex) -- C:\Windows\System32\drivers\elxstor.sys -- (elxstor [Disabled | Stopped])
[2006/11/02 04:49:58 | 00,056,424 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\fileinfo.sys -- (FileInfo [Boot | Running])
[2006/11/02 03:32:55 | 00,027,648 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\filetrace.sys -- (Filetrace [On_Demand | Stopped])
[2006/11/02 04:50:04 | 00,058,984 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\GAGP30KX.SYS -- (gagp30kx [On_Demand | Stopped])
[2008/01/29 12:01:28 | 00,016,168 | ---- | M] (GEAR Software Inc.) -- C:\Windows\System32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
[2006/11/02 02:36:49 | 00,053,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\hdaudbus.sys -- (HDAudBus [Disabled | Stopped])
[2006/11/02 03:55:22 | 00,029,184 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\hidbth.sys -- (HidBth [Disabled | Stopped])
[2006/11/02 03:55:01 | 00,021,504 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\hidir.sys -- (HidIr [Disabled | Stopped])
[2006/11/02 04:50:10 | 00,037,480 | ---- | M] (Hewlett-Packard Company) -- C:\Windows\System32\drivers\HpCISSs.sys -- (HpCISSs [Disabled | Stopped])
[2006/11/02 04:51:25 | 00,232,040 | ---- | M] (Intel Corporation) -- C:\Windows\System32\drivers\iaStorV.sys -- (iaStorV [Disabled | Stopped])
[2006/11/02 04:50:17 | 00,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) -- C:\Windows\System32\drivers\iirsp.sys -- (iirsp [Disabled | Stopped])
[2006/11/02 03:42:03 | 00,065,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\IPMIDrv.sys -- (IPMIDRV [Disabled | Stopped])
[2006/11/02 04:51:12 | 00,168,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\msiscsi.sys -- (iScsiPrt [On_Demand | Running])
[2006/11/02 04:50:07 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\System32\drivers\iteatapi.sys -- (iteatapi [Disabled | Stopped])
[2006/11/02 04:50:09 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\System32\drivers\iteraid.sys -- (iteraid [Disabled | Stopped])
[2006/11/02 03:51:12 | 00,015,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\kbdhid.sys -- (kbdhid [System | Stopped])
[2006/11/02 03:56:49 | 00,047,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\lltdio.sys -- (lltdio [Auto | Running])
[2006/11/02 04:50:04 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\System32\drivers\lsi_fc.sys -- (LSI_FC [Disabled | Stopped])
[2006/11/02 04:50:05 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\System32\drivers\lsi_sas.sys -- (LSI_SAS [Disabled | Stopped])
[2006/11/02 04:50:10 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\System32\drivers\lsi_scsi.sys -- (LSI_SCSI [Disabled | Stopped])
[2006/11/02 03:33:07 | 00,083,456 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\luafv.sys -- (luafv [Auto | Running])
[2006/11/02 04:49:53 | 00,028,776 | ---- | M] (LSI Logic Corporation) -- C:\Windows\System32\drivers\megasas.sys -- (megasas [Disabled | Stopped])
[2004/09/14 15:55:44 | 00,088,960 | ---- | M] (Analog Devices, Inc.) -- C:\Windows\System32\drivers\MidiSyn.sys -- (MidiSyn [On_Demand | Stopped])
[2006/11/02 03:54:05 | 00,041,984 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\monitor.sys -- (monitor [On_Demand | Running])
[2006/11/02 04:50:16 | 00,078,952 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mpio.sys -- (mpio [Disabled | Stopped])
[2006/11/02 03:56:34 | 00,063,488 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mpsdrv.sys -- (mpsdrv [On_Demand | Running])
[2006/11/02 04:49:59 | 00,033,384 | ---- | M] (LSI Logic Corporation) -- C:\Windows\System32\drivers\Mraid35x.sys -- (Mraid35x [Disabled | Stopped])
[2006/11/02 03:31:27 | 00,211,456 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb10.sys -- (mrxsmb10 [On_Demand | Running])
[2006/11/02 03:31:17 | 00,057,856 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb20.sys -- (mrxsmb20 [On_Demand | Running])
[2006/11/02 04:49:44 | 00,023,144 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\msahci.sys -- (msahci [Disabled | Stopped])
[2006/11/02 04:50:17 | 00,080,488 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\msdsm.sys -- (msdsm [Disabled | Stopped])
[2006/11/02 04:49:20 | 00,013,928 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\msisadrv.sys -- (msisadrv [Boot | Running])
[2006/11/02 04:51:09 | 00,160,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\msrpc.sys -- (MsRPC [On_Demand | Stopped])
[2006/11/02 07:34:33 | 00,154,112 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\nwifi.sys -- (NativeWifiP [On_Demand | Running])
[2006/11/02 04:50:19 | 00,045,160 | ---- | M] (IBM Corporation) -- C:\Windows\System32\drivers\nfrd960.sys -- (nfrd960 [Disabled | Stopped])
[2006/11/02 03:57:30 | 00,016,384 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\nsiproxy.sys -- (nsiproxy [System | Running])
[2006/11/02 02:36:50 | 00,020,608 | ---- | M] (N-trig Innovative Technologies) -- C:\Windows\System32\drivers\ntrigdigi.sys -- (ntrigdigi [Disabled | Stopped])
[2007/01/13 09:40:00 | 04,452,288 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm [On_Demand | Running])
[2006/11/02 04:50:24 | 00,088,680 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvraid.sys -- (nvraid [Disabled | Stopped])
[2006/11/02 04:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvstor.sys -- (nvstor [Disabled | Stopped])
[2006/11/02 04:50:40 | 00,106,600 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\NV_AGP.SYS -- (nv_agp [On_Demand | Stopped])
[2006/11/02 04:04:35 | 00,878,080 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\PEAuth.sys -- (PEAUTH [Auto | Running])
[2006/11/02 03:57:33 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\pacer.sys -- (PSched [System | Running])
[2006/11/02 04:51:45 | 00,900,712 | ---- | M] (QLogic Corporation) -- C:\Windows\System32\drivers\ql2300.sys -- (ql2300 [Disabled | Stopped])
[2006/11/02 04:50:35 | 00,106,088 | ---- | M] (QLogic Corporation) -- C:\Windows\System32\drivers\ql40xx.sys -- (ql40xx [Disabled | Stopped])
[2006/11/02 07:34:31 | 00,031,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\qwavedrv.sys -- (QWAVEdrv [On_Demand | Stopped])
[2006/11/02 04:02:01 | 00,006,144 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\RDPENCDD.sys -- (RDPENCDD [System | Running])
[2006/11/02 03:55:23 | 00,049,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\rfcomm.sys -- (RFCOMM [On_Demand | Running])
[2006/11/15 20:16:24 | 00,032,256 | ---- | M] (REDC) -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk [Auto | Running])
[2006/11/15 15:42:46 | 00,043,520 | ---- | M] (REDC) -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk [Auto | Running])
[2006/11/02 03:56:49 | 00,060,416 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\rspndr.sys -- (rspndr [Auto | Running])
[2006/11/02 04:50:16 | 00,076,392 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\sbp2port.sys -- (sbp2port [Disabled | Stopped])
[2006/11/02 03:35:12 | 00,082,432 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\sdbus.sys -- (sdbus [On_Demand | Running])
[2006/11/02 01:37:21 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv [Auto | Running])
[2006/11/02 03:51:11 | 00,019,968 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\sermouse.sys -- (sermouse [Disabled | Stopped])
[2006/11/02 03:51:38 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\sffdisk.sys -- (sffdisk [Disabled | Stopped])
[2006/11/02 03:51:40 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\sffp_mmc.sys -- (sffp_mmc [On_Demand | Stopped])
[2006/11/02 03:51:40 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\sffp_sd.sys -- (sffp_sd [On_Demand | Stopped])
[2006/11/02 04:49:51 | 00,053,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\SISAGP.SYS -- (sisagp [On_Demand | Stopped])
[2006/11/02 04:50:10 | 00,038,504 | ---- | M] (Silicon Integrated Systems Corp.) -- C:\Windows\System32\drivers\sisraid2.sys -- (SiSRaid2 [Disabled | Stopped])
[2006/11/02 04:50:16 | 00,071,784 | ---- | M] (Silicon Integrated Systems) -- C:\Windows\System32\drivers\sisraid4.sys -- (SiSRaid4 [Disabled | Stopped])
[2006/11/02 03:57:10 | 00,066,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\smb.sys -- (Smb [System | Running])
[2006/03/09 12:18:00 | 00,222,848 | ---- | M] (Analog Devices, Inc.) -- C:\Windows\System32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
[2006/11/02 04:49:35 | 00,018,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\spldr.sys -- (spldr [Boot | Running])
[2006/11/02 03:31:47 | 00,129,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\srv2.sys -- (srv2 [On_Demand | Running])
[2006/11/02 03:31:44 | 00,085,504 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\srvnet.sys -- (srvnet [On_Demand | Running])
[2006/11/02 04:50:05 | 00,035,944 | ---- | M] (LSI Logic) -- C:\Windows\System32\drivers\symc8xx.sys -- (Symc8xx [Disabled | Stopped])
[2006/11/02 04:49:56 | 00,031,848 | ---- | M] (LSI Logic) -- C:\Windows\System32\drivers\sym_hi.sys -- (Sym_hi [Disabled | Stopped])
[2006/11/02 04:50:03 | 00,034,920 | ---- | M] (LSI Logic) -- C:\Windows\System32\drivers\sym_u3.sys -- (Sym_u3 [Disabled | Stopped])
[2006/02/03 16:19:04 | 00,191,936 | ---- | M] (Synaptics, Inc.) -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP [On_Demand | Running])
[2006/11/02 03:57:47 | 00,027,648 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tcpipreg.sys -- (tcpipreg [Auto | Running])
[2006/11/02 03:57:35 | 00,068,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tdx.sys -- (tdx [System | Running])
[2006/11/02 04:02:07 | 00,023,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tssecsrv.sys -- (tssecsrv [On_Demand | Stopped])
[2006/11/02 03:57:24 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\TUNMP.SYS -- (tunmp [On_Demand | Running])
[2006/11/02 03:57:29 | 00,023,040 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tunnel.sys -- (tunnel [On_Demand | Running])
[2006/11/02 04:49:59 | 00,056,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\UAGP35.SYS -- (uagp35 [On_Demand | Stopped])
[2006/11/02 04:50:04 | 00,058,472 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\ULIAGPKX.SYS -- (uliagpkx [On_Demand | Stopped])
[2006/11/02 04:51:25 | 00,235,112 | ---- | M] (ULi Electronics Inc.) -- C:\Windows\System32\drivers\uliahci.sys -- (uliahci [Disabled | Stopped])
[2006/11/02 04:50:35 | 00,098,408 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\System32\drivers\ulsata.sys -- (UlSata [Disabled | Stopped])
[2006/11/02 04:50:45 | 00,115,816 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\System32\drivers\ulsata2.sys -- (ulsata2 [Disabled | Stopped])
[2006/11/02 03:55:24 | 00,034,816 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\umbus.sys -- (umbus [On_Demand | Running])
[2006/11/02 03:55:04 | 00,071,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio [On_Demand | Stopped])
[2006/11/02 03:55:09 | 00,068,608 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\usbcir.sys -- (usbcir [Disabled | Stopped])
[2006/11/02 03:57:48 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\usb8023x.sys -- (usb_rndisx [On_Demand | Stopped])
[2006/11/02 03:53:56 | 00,026,112 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\vgapnp.sys -- (vga [On_Demand | Stopped])
[2006/11/02 03:30:19 | 00,039,424 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\viac7.sys -- (ViaC7 [Disabled | Stopped])
[2006/11/02 04:49:30 | 00,017,512 | ---- | M] (VIA Technologies, Inc.) -- C:\Windows\System32\drivers\viaide.sys -- (viaide [Disabled | Stopped])
[2006/11/02 04:50:24 | 00,050,280 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\volmgr.sys -- (volmgr [Boot | Running])
[2006/11/02 04:51:30 | 00,290,408 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\volmgrx.sys -- (volmgrx [Boot | Running])
[2006/11/02 04:50:41 | 00,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) -- C:\Windows\System32\drivers\vsmraid.sys -- (vsmraid [Disabled | Stopped])
[2006/11/02 03:52:52 | 00,020,608 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\wacompen.sys -- (WacomPen [Disabled | Stopped])
[2006/11/02 04:49:38 | 00,019,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\wd.sys -- (Wd [Disabled | Stopped])
[2006/11/02 04:51:41 | 00,492,648 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\Wdf01000.sys -- (Wdf01000 [Boot | Running])
[2006/11/02 03:35:03 | 00,011,264 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\wmiacpi.sys -- (WmiAcpi [On_Demand | Running])
[2006/11/02 03:58:26 | 00,015,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\ws2ifsl.sys -- (ws2ifsl [Disabled | Stopped])
[2006/11/02 02:30:56 | 00,194,048 | ---- | M] (Marvell) -- C:\Windows\System32\drivers\yk60x86.sys -- (yukonwlh [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\Windows\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page"=http://www.google.com/
"StartPageCache"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\Windows\System32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\Windows\System32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\Windows\System32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-953985276-4209345529-98313122-1000\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\Windows\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page"=http://www.google.com/
"StartPageCache"=

[HKEY_USERS\S-1-5-21-953985276-4209345529-98313122-1000\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\Windows\System32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-953985276-4209345529-98313122-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

========== (O1) Hosts File ==========

HOSTS File = (761 bytes) - C:\Windows\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
::1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{53707962-6F74-2D53-2644-206D7942484F} (HKLM) -- C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"AGRSMMSG"=AGRSMMSG.exe (Agere Systems)
"FunctionKeyCtrl"=C:\Program Files\Function Key Controller\FKC.exe (Arima Computer Corp.)
"InstaLAN"="C:\Program Files\Charter\InstaLAN\InstaLAN.exe" startup (Affinegy LLC)
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" ()
"MSConfig"="C:\Windows\system32\msconfig.exe" /auto (Microsoft Corporation)
"MSServer"=rundll32.exe C:\Windows\system32\qoMgebAp.dll,#1 (Microsoft Corporation)
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
"NvCplDaemon"=RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
"NvMediaCenter"=RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
"NvSvc"=RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart (NVIDIA Corporation)
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" (Cyberlink Corp.)
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (Sun Microsystems, Inc.)
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
"Windows Defender"=%ProgramFiles%\Windows Defender\MSASCui.exe -hide (Microsoft Corporation)
"Windows Mobile-based device management"=%windir%\WindowsMobile\wmdcBase.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe (Microsoft Corporation)
"MSServer"=rundll32.exe C:\Users\Tim\AppData\Local\Temp\lJARlmNF.dll,#1 (Microsoft Corporation)
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=%ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (Microsoft Corporation)
"WindowsWelcomeCenter"=rundll32.exe oobefldr.dll,ShowWelcomeCenter (Microsoft Corporation)

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=%ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (Microsoft Corporation)
"WindowsWelcomeCenter"=rundll32.exe oobefldr.dll,ShowWelcomeCenter (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-953985276-4209345529-98313122-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe (Microsoft Corporation)
"MSServer"=rundll32.exe C:\Users\Tim\AppData\Local\Temp\lJARlmNF.dll,#1 (Microsoft Corporation)
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"ConsentPromptBehaviorAdmin"=2
"ConsentPromptBehaviorUser"=1
"EnableInstallerDetection"=1
"EnableLUA"=1
"EnableSecureUIAPaths"=1
"EnableVirtualization"=1
"PromptOnSecureDesktop"=1
"ValidateAdminCodeSignatures"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"scforceoption"=0
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"FilterAdministratorToken"=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats]
"CF_TEXT"=1
"CF_BITMAP"=2
"CF_OEMTEXT"=7
"CF_DIB"=8
"CF_PALETTE"=9
"CF_UNICODETEXT"=13
"CF_DIBV5"=17

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\Office12\EXCEL.EXE [2008/07/03 16:08:56 | 17,929,752 | ---- | M] (Microsoft Corporation)
Send image to &Bluetooth Device...: C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm [2006/08/29 15:12:28 | 00,002,773 | ---- | M] ()
Send page to &Bluetooth Device...: C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm [2006/10/26 19:28:50 | 00,005,601 | ---- | M] ()

[HKEY_USERS\S-1-5-21-953985276-4209345529-98313122-1000\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\Office12\EXCEL.EXE [2008/07/03 16:08:56 | 17,929,752 | ---- | M] (Microsoft Corporation)
Send image to &Bluetooth Device...: C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm [2006/08/29 15:12:28 | 00,002,773 | ---- | M] ()
Send page to &Bluetooth Device...: C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm [2006/10/26 19:28:50 | 00,005,601 | ---- | M] ()

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [2006/10/26 20:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
{CCA281CA-C863-46ef-9331-5C8D4460577F}: Button: @btrez.dll,-4015 -- %ProgramFiles%\WIDCOMM\Bluetooth Software\btsendto_ie.htm [2006/10/26 19:28:50 | 00,005,601 | ---- | M] ()
{CCA281CA-C863-46ef-9331-5C8D4460577F}: Menu: @btrez.dll,-12650 -- %ProgramFiles%\WIDCOMM\Bluetooth Software\btsendto_ie.htm [2006/10/26 19:28:50 | 00,005,601 | ---- | M] ()
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}: Menu: Spybot - Search & Destroy Configuration -- %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{CCA281CA-C863-46ef-9331-5C8D4460577F} [HKLM] -> [@btrez.dll,-4015] -> File not found

[HKEY_USERS\S-1-5-21-953985276-4209345529-98313122-1000\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{CCA281CA-C863-46ef-9331-5C8D4460577F} [HKLM] -> [@btrez.dll,-4015] -> File not found

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{17492023-C23A-453E-A040-C7C580BBF700}: http://download.microsoft.com/download/8/b...heckControl.cab -- Windows Genuine Advantage Validation Tool
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_06
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07

========== (O17) DNS Name Servers ==========

{06D904FA-3D18-413E-A19F-49059281F162} (Servers: | Description: Marvell Yukon 88E8055 PCI-E Gigabit Ethernet Controller)
{A9103334-40DD-4104-8E7B-42CECAE21C3D} (Servers: | Description: Airgo Networks AGN300 True MIMO ™ Wireless Adapter)
{DC234EE1-94D1-4B92-97CB-C090E518C02D} (Servers: | Description: )
{E64C5443-EC57-440F-AFC8-E4457FB80C33} (Servers: | Description: Microsoft Windows Mobile Remote Adapter)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{108110EA-38DE-4317-837F-0548FC1B6C55}" (HKLM) -- C:\Windows\System32\qoMgebAp.dll (Microsoft Corporation)

========== HKLM *SecurityProviders* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"=credssp.dll
>[2006/11/02 04:46:03 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\credssp.dll

========== LSA *Security Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Security Packages"=kerberos,msv1_0,schannel,wdigest,tspkg,
>[2006/11/02 04:46:13 | 00,061,440 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\TSpkg.dll

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

autoexec.bat [REM Dummy file for NTVDM | ]
[2006/09/18 16:43:36 | 00,000,024 | ---- | M] () -- C:\autoexec.bat -- [ NTFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7b661a00-4b07-11dd-9997-000b6b77edf5}\Shell]
""=AutoRun


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7b661a00-4b07-11dd-9997-000b6b77edf5}\Shell\AutoRun\command]
""=F:\LaunchU3.exe -- File not found


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d1cb5d07-6844-11dd-b0c8-001641b2e7c4}\Shell\AutoRun\command]
""=E:\setupSNK.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\Windows\*.tmp files]
[2008/10/25 15:31:57 | 00,421,888 | ---- | C] (OldTimer Tools) -- C:\Users\Tim\Desktop\OTViewIt.exe
[2008/10/22 06:47:32 | 00,001,866 | ---- | C] () -- C:\Users\Public\Desktop\Sniper Elite Demo.lnk
[2008/10/22 06:46:24 | 00,000,000 | ---D | C] -- C:\Program Files\MC2
[2008/10/22 06:45:26 | 00,518,454 | R--- | C] () -- C:\Users\Tim\Desktop\setup.bmp
[2008/10/22 06:45:26 | 00,346,602 | R--- | C] () -- C:\Users\Tim\Desktop\ikernel.ex_
[2008/10/22 06:45:26 | 00,135,557 | R--- | C] () -- C:\Users\Tim\Desktop\setup.inx
[2008/10/22 06:45:26 | 00,000,441 | R--- | C] () -- C:\Users\Tim\Desktop\layout.bin
[2008/10/22 06:45:26 | 00,000,149 | R--- | C] () -- C:\Users\Tim\Desktop\Setup.ini
[2008/10/22 06:45:24 | 00,000,000 | ---D | C] -- C:\Users\Tim\Desktop\DirectX9
[2008/10/22 06:43:51 | 65,838,5795 | R--- | C] () -- C:\Users\Tim\Desktop\data2.cab
[2008/10/22 06:42:16 | 00,835,353 | R--- | C] () -- C:\Users\Tim\Desktop\data1.cab
[2008/10/22 06:42:16 | 00,043,971 | R--- | C] () -- C:\Users\Tim\Desktop\data1.hdr
[2008/10/22 06:28:30 | 00,000,000 | ---D | C] -- C:\Users\Tim\Documents\Downloads
[2008/10/22 06:28:28 | 00,000,000 | ---D | C] -- C:\Users\Tim\AppData\Roaming\GetRightToGo
[2008/10/06 01:33:32 | 00,000,017 | ---- | C] () -- C:\Users\Tim\Desktop\stinger.opt
[2008/10/05 19:54:08 | 01,493,216 | -H-- | C] () -- C:\Users\Tim\AppData\Local\IconCache.db
[2008/10/03 05:21:26 | 02,482,695 | ---- | C] (McAfee Inc.) -- C:\Users\Tim\Desktop\stinger.exe
[2008/10/03 05:17:30 | 00,001,055 | ---- | C] () -- C:\Users\Tim\Desktop\Spybot - Search & Destroy.lnk
[2008/10/03 05:17:25 | 00,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2008/10/03 05:17:25 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2008/10/03 05:15:54 | 15,083,520 | ---- | C] (Safer Networking Limited ) -- C:\Users\Tim\Desktop\spybotsd160.exe
[2008/10/03 05:07:58 | 21,467,54560 | -HS- | C] () -- C:\hiberfil.sys
[2008/10/03 01:20:07 | 00,000,933 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Watch.lnk
[2008/10/03 01:20:07 | 00,000,933 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2008/10/03 01:20:00 | 00,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2008/10/03 01:20:00 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2008/10/03 01:18:19 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2008/10/03 01:16:01 | 19,153,264 | ---- | C] () -- C:\Users\Tim\Desktop\aaw2008.exe
[2008/10/02 21:46:17 | 00,001,874 | ---- | C] () -- C:\Users\Tim\Desktop\HijackThis.lnk
[2008/10/02 21:46:17 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/10/02 21:39:10 | 00,532,480 | ---- | C] (Trend Micro Incorporated) -- C:\Users\Tim\Desktop\cwshredder.exe
[2008/10/02 21:38:13 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Users\Tim\Desktop\HJTInstall.exe
[2008/10/02 20:59:15 | 00,113,053 | ---- | C] () -- C:\ProgramData\BMa7061d20.xml
[2008/10/02 20:59:15 | 00,000,022 | ---- | C] () -- C:\ProgramData\pskt.ini
[2008/10/02 05:56:27 | 00,000,000 | -HSD | C] -- C:\Windows\VGlt
[2008/10/02 05:56:23 | 00,000,000 | ---D | C] -- C:\Windows\System32\zep
[2008/10/02 05:56:23 | 00,000,000 | ---D | C] -- C:\Windows\System32\tcon
[2008/10/02 05:56:23 | 00,000,000 | ---D | C] -- C:\Windows\System32\tb
[2008/10/02 05:56:23 | 00,000,000 | ---D | C] -- C:\Windows\System32\NP6
[2008/10/02 05:56:16 | 00,000,000 | ---D | C] -- C:\Windows\System32\EV02
[2008/10/02 05:56:16 | 00,000,000 | ---D | C] -- C:\Temp
[2008/10/02 05:56:13 | 00,034,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mlJApqNH.dll
[2008/10/02 05:56:12 | 00,034,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\qoMgebAp.dll
[2008/10/02 03:42:00 | 00,509,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_2.dll
[2008/10/02 03:42:00 | 00,068,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_1.dll
[2008/10/02 03:41:59 | 00,238,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_2.dll
[2008/10/02 03:41:57 | 01,493,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_39.dll
[2008/10/02 03:41:57 | 00,467,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_39.dll
[2008/10/02 03:41:55 | 03,851,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_39.dll
[2008/10/02 03:41:54 | 00,507,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_1.dll
[2008/10/02 03:41:54 | 00,065,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_0.dll
[2008/10/02 03:41:53 | 00,238,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_1.dll
[2008/10/02 03:41:53 | 00,025,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_4.dll
[2008/10/02 03:41:52 | 01,491,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_38.dll
[2008/10/02 03:41:52 | 00,467,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_38.dll
[2008/10/02 03:41:50 | 03,850,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_38.dll
[2008/10/02 03:41:49 | 00,479,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_0.dll
[2008/10/02 03:41:48 | 00,238,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_0.dll
[2008/10/02 03:41:47 | 00,025,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_3.dll
[2008/10/02 03:41:45 | 01,420,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_37.dll
[2008/10/02 03:41:45 | 00,462,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_37.dll
[2008/10/02 03:41:43 | 03,786,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_37.dll
[2008/10/02 03:41:41 | 00,267,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_10.dll
[2008/10/02 03:41:37 | 00,444,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_36.dll
[2008/10/02 03:41:36 | 01,374,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_36.dll
[2008/10/02 03:41:34 | 03,734,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_36.dll
[2008/10/02 03:41:30 | 00,267,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_9.dll
[2008/10/02 03:41:28 | 01,358,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_35.dll
[2008/10/02 03:41:28 | 00,444,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_35.dll
[2008/10/02 03:41:26 | 03,727,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_35.dll
[2008/10/02 03:41:24 | 00,266,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_8.dll
[2008/10/02 03:41:24 | 00,017,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_2.dll
[2008/10/02 03:41:21 | 01,124,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_34.dll
[2008/10/02 03:41:21 | 00,443,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_34.dll
[2008/10/02 03:41:20 | 03,497,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_34.dll
[2008/10/02 03:41:20 | 00,081,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_3.dll
[2008/10/02 03:41:18 | 00,261,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_7.dll
[2008/10/02 03:41:14 | 01,123,696 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_33.dll
[2008/10/02 03:41:14 | 00,443,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_33.dll
[2008/10/02 03:41:10 | 03,495,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_33.dll
[2008/10/02 03:41:09 | 00,255,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_6.dll
[2008/10/02 03:41:09 | 00,015,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\x3daudio1_1.dll
[2008/10/02 03:40:00 | 00,000,000 | ---D | C] -- C:\ProgramData\NVIDIA
[2008/10/02 03:39:04 | 00,000,000 | -H-D | C] -- C:\Windows\msdownld.tmp
[2008/10/02 03:38:58 | 00,000,000 | ---D | C] -- C:\Windows\System32\directx
[2008/10/02 03:23:00 | 00,350,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3drm.dll
[2008/10/01 21:46:09 | 00,000,000 | ---D | C] -- C:\Program Files\SVKSystems
[2008/10/01 03:54:32 | 00,000,000 | ---D | C] -- C:\Users\Tim\Documents\Flight Sim
[2008/10/01 03:54:12 | 00,000,000 | ---D | C] -- C:\Program Files\PhoenixRC
[2008/10/01 03:52:05 | 00,000,000 | ---D | C] -- C:\Users\Tim\Documents\PhoenixRC Demo
[2008/09/30 22:44:09 | 00,000,000 | ---D | C] -- C:\Users\Tim\Documents\RealFlight G4 Demo
[2008/09/30 22:42:22 | 00,000,000 | ---D | C] -- C:\Program Files\RealFlight G4 Demo
[2008/09/30 22:42:22 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\KnifeEdge
[2008/09/30 22:24:10 | 00,440,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10.dll
[2008/09/30 22:24:10 | 00,251,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_5.dll
[2008/09/30 22:24:09 | 03,426,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_32.dll
[2008/09/30 22:24:09 | 00,237,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_4.dll
[2008/09/30 22:24:08 | 02,414,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_31.dll
[2008/09/30 22:24:08 | 00,236,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_3.dll
[2008/09/30 22:24:08 | 00,062,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_2.dll
[2008/09/30 22:24:07 | 00,230,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_2.dll
[2008/09/30 22:24:07 | 00,229,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_1.dll
[2008/09/30 22:24:07 | 00,062,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_1.dll
[2008/09/30 22:23:54 | 02,332,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_29.dll
[2008/09/30 22:23:54 | 00,230,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_0.dll
[2008/09/30 22:23:54 | 00,014,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\x3daudio1_0.dll
[2008/09/30 22:23:53 | 02,319,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_27.dll
[2008/09/30 22:23:53 | 02,297,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_26.dll
[2008/09/30 22:23:52 | 02,337,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_25.dll
[2008/09/30 22:23:51 | 02,222,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_24.dll

========== Files - Modified Within 30 Days ==========

[1 C:\Windows\*.tmp files]
[2008/10/25 15:49:26 | 00,012,931 | ---- | M] () -- C:\Users\Tim\AppData\Roaming\nvModes.dat
[2008/10/25 15:49:26 | 00,012,931 | ---- | M] () -- C:\Users\Tim\AppData\Roaming\nvModes.001
[2008/10/25 15:49:14 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2008/10/25 15:31:59 | 00,421,888 | ---- | M] (OldTimer Tools) -- C:\Users\Tim\Desktop\OTViewIt.exe
[2008/10/25 15:27:08 | 00,003,584 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2008/10/25 15:27:08 | 00,003,584 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2008/10/22 06:47:32 | 00,001,866 | ---- | M] () -- C:\Users\Public\Desktop\Sniper Elite Demo.lnk
[2008/10/21 19:56:14 | 00,782,632 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2008/10/21 19:56:14 | 00,665,356 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2008/10/21 19:56:14 | 00,121,546 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2008/10/18 15:05:08 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2008/10/18 15:04:53 | 21,467,54560 | -HS- | M] () -- C:\hiberfil.sys
[2008/10/18 15:04:28 | 20,368,3152 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2008/10/14 19:50:17 | 00,002,060 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2008/10/14 19:49:51 | 01,493,216 | -H-- | M] () -- C:\Users\Tim\AppData\Local\IconCache.db
[2008/10/06 03:57:14 | 00,000,017 | ---- | M] () -- C:\Users\Tim\Desktop\stinger.opt
[2008/10/05 20:54:43 | 00,000,022 | ---- | M] () -- C:\ProgramData\pskt.ini
[2008/10/05 20:54:33 | 00,113,053 | ---- | M] () -- C:\ProgramData\BMa7061d20.xml
[2008/10/05 19:40:21 | 51,222,2672 | ---- | M] () -- C:\Users\Tim\Documents\Adobe_Photoshop_CS3_Extended_v10__(with_crack_full_version).zip
[2008/10/03 05:21:37 | 02,482,695 | ---- | M] (McAfee Inc.) -- C:\Users\Tim\Desktop\stinger.exe
[2008/10/03 05:17:30 | 00,001,055 | ---- | M] () -- C:\Users\Tim\Desktop\Spybot - Search & Destroy.lnk
[2008/10/03 05:16:20 | 15,083,520 | ---- | M] (Safer Networking Limited ) -- C:\Users\Tim\Desktop\spybotsd160.exe
[2008/10/03 01:20:07 | 00,000,933 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Watch.lnk
[2008/10/03 01:20:07 | 00,000,933 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2008/10/03 01:16:30 | 19,153,264 | ---- | M] () -- C:\Users\Tim\Desktop\aaw2008.exe
[2008/10/02 21:46:17 | 00,001,874 | ---- | M] () -- C:\Users\Tim\Desktop\HijackThis.lnk
[2008/10/02 21:39:14 | 00,532,480 | ---- | M] (Trend Micro Incorporated) -- C:\Users\Tim\Desktop\cwshredder.exe
[2008/10/02 21:38:23 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Users\Tim\Desktop\HJTInstall.exe
[2008/10/02 05:56:12 | 00,034,304 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\qoMgebAp.dll
[2008/10/02 05:56:12 | 00,034,304 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mlJApqNH.dll
[2008/10/02 03:23:00 | 00,350,208 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\d3drm.dll
< End of report >

OTViewIt Extras logfile created on: 10/25/2008 3:52:02 PM - Run 2
OTViewIt by OldTimer - Version 1.0.18.0 Folder = C:\Users\Tim\Desktop
Windows Vista An unknown product (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16386)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.10 Gb Available Physical Memory | 55.10% Memory free
4.00 Gb Paging File | 3.08 Gb Available in Paging File | 77.04% Paging File free
Paging file location(s): ?:\pagefile.sys;

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 141.30 Gb Total Space | 48.26 Gb Free Space | 34.15% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TIM-PC
Current User Name: Tim
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av"=1
"AntiVirusOverride"=0
"AntiSpywareOverride"=0
"FirewallOverride"=0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"DisableNotifications"=0
"EnableFirewall"=1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000001 [@%SystemRoot%\system32\nlasvc.dll,-1000] -- C:\Windows\System32\nlaapi.dll (Microsoft Corporation)
NameSpace_Catalog5\Catalog_Entries\000000000004 [@%SystemRoot%\system32\napinsp.dll,-1000] -- C:\Windows\System32\NapiNSP.dll (Microsoft Corporation)
NameSpace_Catalog5\Catalog_Entries\000000000005 [@%SystemRoot%\system32\pnrpnsp.dll,-1000] -- C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
NameSpace_Catalog5\Catalog_Entries\000000000006 [@%SystemRoot%\system32\pnrpnsp.dll,-1001] -- C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
NameSpace_Catalog5\Catalog_Entries\000000000007 [Bluetooth Namespace] -- C:\Windows\System32\wshbth.dll (Microsoft Corporation)
NameSpace_Catalog5\Catalog_Entries\000000000008 [mdnsNSP] -- C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

========== HKEY_LOCAL_MACHINE Protocol Defaults ==========


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults - Default Protocols
ldap -- 4 = Restricted sites (Not a Default Protocol)
news -- 4 = Restricted sites (Not a Default Protocol)
nntp -- 4 = Restricted sites (Not a Default Protocol)
oecmd -- 4 = Restricted sites (Not a Default Protocol)
snews -- 4 = Restricted sites (Not a Default Protocol)

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
@ivt -- @ivt protocol not assigned
file -- file protocol not assigned
ftp -- ftp protocol not assigned
http -- http protocol not assigned
https -- https protocol not assigned
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
@ivt -- @ivt protocol not assigned
file -- file protocol not assigned
ftp -- ftp protocol not assigned
http -- http protocol not assigned
https -- https protocol not assigned
shell -- shell protocol not assigned

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2006/10/26 13:45:02 | 00,873,216 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (ms-help:{314111c7-a502-11d2-bbca-00c04f8ec294} (HKLM) [HxProtocol Class])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/05/10 13:45:34 | 08,069,464 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2006/10/26 21:41:48 | 00,044,344 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL text/xml:{807563E5-5146-11D5-A672-00B0D022E945} (HKLM) [Microsoft Office InfoPath XML Mime Filter]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}"=Apple Software Update
"{04AF207D-9A77-465A-8B76-991F6AB66245}"=Adobe Help Viewer CS3
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}"=Adobe Bridge Start Meeting
"{08CA9554-B5FE-4313-938F-D4A417B81175}"=QuickTime
"{18039280-98B7-4C5E-AAC0-10EBC9731033}"=Nero 7 Essentials
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}"=Adobe WinSoft Linguistics Plugin
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}"=Adobe ExtendScript Toolkit 2
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}"=Adobe Stock Photos CS3
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}"=Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{3248F0A8-6813-11D6-A77B-00B0D0160060}"=Java™ 6 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160070}"=Java™ 6 Update 7
"{353D20CC-719B-4A60-AD33-D03F88C10330}"=Microsoft Office Accounting PayPal Addin
"{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}"=Adobe Photoshop CS3
"{46614A49-222A-48EF-87A9-BFD603E608E1}"=Microsoft Office Accounting Fixed Asset Manager
"{4727EB39-BB6F-4571-A0B6-AB6331D57665}"=LimeWire
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}"=Bonjour
"{4A57592C-FF92-4083-97A9-92783BD5AFB4}"=BisonCam
"{50120000-1105-0000-0000-0000000FF1CE}"=Microsoft Office 2007 Primary Interop Assemblies
"{51846830-E7B2-4218-8968-B77F0FF475B8}"=Adobe Color EU Extra Settings
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}"=Microsoft SQL Server Setup Support Files (English)
"{54793AA1-5001-42F4-ABB6-C364617C6078}"=Adobe Linguistics CS3
"{5FA793A6-0071-42C1-9355-8F69A428C44F}"=Microsoft Office Accounting ADP Payroll Addin
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}"=Adobe Setup
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}"=PowerDVD
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}"=Adobe Fonts All
"{6C3CA595-C639-427A-AD69-0CFD56041762}"=Function Key Controller
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}"=Adobe Color Common Settings
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}"=Adobe Asset Services CS3
"{73F015EF-256A-4358-B867-317F143E4AAA}"=ClearView
"{7EEA397D-3E3D-4C60-8585-DC897C8D36E0}"=RealFlight G4 Demo
"{802771A9-A856-4A41-ACF7-1450E523C923}"=Adobe XMP Panels CS3
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}"=Microsoft Silverlight
"{8C711818-076E-475C-B95B-DF11CD9D8DBE}"=Microsoft Office Accounting Equifax Addin
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}"=Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}"=Adobe Type Support
"{90120000-0016-0409-0000-0000000FF1CE}"=Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}"=Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}"=Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}"=Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}"=Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}"=Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}"=Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}"=Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}"=Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}"=Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}"=Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90176341-0A8B-4CCC-A78D-F862228A6B95}"=Adobe Anchor Service CS3
"{90A40409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office 2003 Web Components
"{91120000-00CA-0000-0000-0000000FF1CE}"=Microsoft Office Small Business 2007
"{95655ED4-7CA5-46DF-907F-7144877A32E5}"=Adobe Color NA Recommended Settings
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}"=Adobe Bridge CS3
"{A13E07E1-A423-44FB-9DEE-B24C75C1BAF2}"=WIDCOMM Bluetooth Software 6.0.1.3400
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}"=Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}"=Adobe Color - Photoshop Specific
"{A939D341-5A04-4E0A-BB55-3E65B386432D}"=Microsoft Office Small Business Connectivity Components
"{A979B2D8-E3EE-4523-A26C-4AF0A6809280}"=Sniper Elite Demo
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}"=PDF Settings
"{AC76BA86-7AD7-1033-7B44-A81200000003}"=Adobe Reader 8.1.2
"{AC76BA86-7AD7-5464-3428-800000000003}"=Spelling Dictionaries Support For Adobe Reader 8
"{B0717D5A-1976-482B-9ADF-F19631A541A4}"=Microsoft Office Accounting 2007
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}"=Business Contact Manager for Outlook 2007 SP1
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}"=Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}"=Adobe Setup
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}"=Adobe Default Language CS3
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}"=Marvell Miniport Driver
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}"=Adobe Version Cue CS3 Client
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}"=Adobe PDF Library Files
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}"=Adobe Color JA Extra Settings
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}"=Ad-Aware
"{E1180142-3B31-4DCC-9D27-7AC2D37662BF}"=LightScribe 1.4.124.1
"{E69AE897-9E0B-485C-8552-7841F48D42D8}"=Adobe Update Manager CS3
"{E7044E25-3038-4A76-9064-344AC038043E}"=Windows Mobile Device Center Driver Update
"{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}"=Microsoft SQL Server VSS Writer
"{EF6C4600-306D-4F6A-A119-C2A877D25B4A}"=iTunes
"{F0A37341-D692-11D4-A984-009027EC0A9C}"=SoundMAX
"{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}"=Microsoft SQL Server Native Client
"{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}"=Adobe Setup
"214BDAEC84F786809EC86AB552023CBB8CD6A93C"=Windows Driver Package - Lifeview (LVHybridP) MEDIA (10/03/2006 13.33.00.4001)
"2B0D8F3C-18AD-4D8E-879A-74A867C5C3CB_is1"=InstaLAN
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe_3e054d2218e7aa282c2369d939e58ff"=Adobe ExtendScript Toolkit 2
"Adobe_6c8e2cb4fd241c55406016127a6ab2e"=Adobe Color Common Settings
"Adobe_719d6f144d0c086a0dfa7ff76bb9ac1"=Adobe Photoshop CS3
"Agere Systems Soft Modem"=Agere Systems AC'97 Modem
"Business Contact Manager"=Business Contact Manager for Outlook 2007 SP1
"Dell Photo Printer 720"=Dell Photo Printer 720
"HijackThis"=HijackThis 2.0.2
"InstallShield_{4727EB39-BB6F-4571-A0B6-AB6331D57665}"=LimeWire
"Microsoft Office Accounting 2007"=Microsoft Office Accounting 2007
"Microsoft Office Accounting Equifax Addin"=Microsoft Office Accounting Equifax Addin
"Microsoft Office Accounting PayPal Addin"=Microsoft Office Accounting PayPal Addin
"Microsoft SQL Server 2005"=Microsoft SQL Server 2005
"NVIDIA Drivers"=NVIDIA Drivers
"SMALLBUSINESSR"=Microsoft Office Small Business 2007
"SynTPDeinstKey"=Synaptics Pointing Device Driver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/15/2008 9:04:49 AM | Computer Name = Tim-PC | Source = MsiInstaller | ID = 11935
Description =

Error - 10/15/2008 9:14:20 AM | Computer Name = Tim-PC | Source = MsiInstaller | ID = 1024
Description =

Error - 10/16/2008 6:49:06 AM | Computer Name = Tim-PC | Source = VSS | ID = 8194
Description =

Error - 10/18/2008 12:48:07 AM | Computer Name = Tim-PC | Source = VSS | ID = 8194
Description =

Error - 10/18/2008 4:14:10 PM | Computer Name = Tim-PC | Source = VSS | ID = 8194
Description =

Error - 10/19/2008 11:26:52 PM | Computer Name = Tim-PC | Source = Application Hang | ID = 1002
Description = The program PowerDVD.exe version 7.0.2422.0 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 1474 Start Time: 01c93263a3955558 Termination Time: 26

Error - 10/19/2008 11:36:23 PM | Computer Name = Tim-PC | Source = Application Hang | ID = 1002
Description = The program PowerDVD.exe version 7.0.2422.0 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: bd8 Start Time: 01c93264f9b3435e Termination Time: 11

Error - 10/19/2008 11:43:27 PM | Computer Name = Tim-PC | Source = Application Hang | ID = 1002
Description = The program PowerDVD.exe version 7.0.2422.0 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 1268 Start Time: 01c93265f7188234 Termination Time: 63

Error - 10/19/2008 11:53:12 PM | Computer Name = Tim-PC | Source = Application Hang | ID = 1002
Description = The program PowerDVD.exe version 7.0.2422.0 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 11dc Start Time: 01c9326757ad329c Termination Time: 63

Error - 10/19/2008 11:57:33 PM | Computer Name = Tim-PC | Source = Application Hang | ID = 1002
Description = The program PowerDVD.exe version 7.0.2422.0 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 13b4 Start Time: 01c93267f116454a Termination Time: 12

[ Media Center Events ]
Error - 8/28/2008 8:08:55 AM | Computer Name = Tim-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ OSession Events ]
Error - 7/22/2008 11:18:08 PM | Computer Name = Tim-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6300.5000, Microsoft Office Version: 12.0.4518.1014. This session lasted 17
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 10/16/2008 6:43:53 AM | Computer Name = Tim-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 5:38:20 AM on 10/16/2008 was unexpected.

Error - 10/16/2008 6:50:27 AM | Computer Name = Tim-PC | Source = WinDefend | ID = 3006
Description = %%827 Real-Time Protection agent has encountered an error when taking
action on spyware or other potentially unwanted software. For more information please
see the following: http://go.microsoft.com/fwlink/?linkid=370...threatid=125118

Scan
ID: {17CAE97F-E725-4BCC-935D-5638F2897C0F} User: Tim-PC\Tim Name: Trojan:Win32/Vundo.HK

ID:
125118 Severity ID: 5 Category ID: 8 Path: Alert Type: %%805 Action: %%811 Error Code:
0x80508022 Error description: To finish removing spyware and other potentially unwanted
software, restart the computer.

Error - 10/16/2008 7:03:15 AM | Computer Name = Tim-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 5:58:11 AM on 10/16/2008 was unexpected.

Error - 10/16/2008 7:41:07 AM | Computer Name = Tim-PC | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NetbiosSmb because
another computer on the network has the same name. The server could not start.

Error - 10/18/2008 4:05:01 PM | Computer Name = Tim-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 12:39:02 AM on 10/18/2008 was unexpected.

Error - 10/23/2008 7:29:40 PM | Computer Name = Tim-PC | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 000B6B77EDF5. The following
error occurred: %%1223. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.

< End of report >

i assume that both logs are the same, just in case they are not i posted them both. i havnt really changed anything except for when my defender or SB SnD tells me i have trojans that need to be removed all i did was click remove. this has happened a few times. the only jrojan i remember was a "msconfig" type thig,i think. i should have written them down and will from now on if it hapens again. thanks

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 AM

Posted 25 October 2008 - 06:00 PM

Hello port55.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run.

To disable SpyBot's TeaTimer:
  • Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select Advanced Mode.
  • On the left hand side, Click on Tools.
  • Click on the Resident icon in the list.
  • Uncheck Resident TeaTimer and OK any prompts.
  • Download ResetTeaTimer.bat and run it to remove entries set by TeaTimer. The file should take only a second to finish. Delete this file after use.
Restart your computer for the changes to take affect.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Install Antivirus
An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a free anti-virus program from one of the trusted venders below:After installing, update the database, run a full system scan and remove any items found.

Please post back with:
-the ComboFix log
-a new HijackThis log

With Regards,
The Panda

Edited by PropagandaPanda, 25 October 2008 - 06:00 PM.


#8 port55

port55
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 25 October 2008 - 07:55 PM

Combofix did not prompt me anything about windows recovery so i guess it was ok. here is the log

ComboFix 08-10-24.02 - Tim 2008-10-25 19:37:09.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1472 [GMT -5:00]
Running from: C:\Users\Tim\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\Users\Tim\AppData\Local\Temp\tuVnnmkl.dll
C:\Windows\system32\mlJApqNH.dll
C:\Windows\system32\MSINET.oca
C:\Windows\system32\pac.txt
C:\Windows\system32\qoMgebAp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TNIDRIVER
-------\Service_TnIDriver


((((((((((((((((((((((((( Files Created from 2008-09-26 to 2008-10-26 )))))))))))))))))))))))))))))))
.

2008-10-22 06:46 . 2008-10-22 06:46 <DIR> d-------- C:\Program Files\MC2
2008-10-22 06:28 . 2008-10-22 06:40 <DIR> d-------- C:\Users\Tim\AppData\Roaming\GetRightToGo
2008-10-03 08:28 . 2008-10-03 22:11 <DIR> d-------- C:\Users\Tim\.housecall6.6
2008-10-03 05:17 . 2008-10-05 20:53 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-10-03 05:17 . 2008-10-05 20:53 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-10-03 05:17 . 2008-10-05 20:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-03 01:20 . 2008-10-03 01:22 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-10-03 01:20 . 2008-10-03 01:22 <DIR> d-------- C:\ProgramData\Lavasoft
2008-10-03 01:20 . 2008-10-03 01:20 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-03 01:18 . 2008-10-03 01:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-02 22:53 . 2008-10-05 19:40 22 --a------ C:\Users\Tim\a.zip
2008-10-02 22:49 . 2008-10-02 22:49 485 --a------ C:\Users\Tim\523.bat
2008-10-02 21:46 . 2008-10-02 21:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-02 20:59 . 2008-10-02 20:59 485 --a------ C:\Users\Tim\480.bat
2008-10-02 20:59 . 2008-10-03 00:55 68 --a------ C:\Users\Tim\z.bat
2008-10-02 06:00 . 2008-10-02 06:00 <DIR> d--hs---- C:\Users\Tim\'
2008-10-02 06:00 . 2008-10-03 00:58 147,456 --a------ C:\Users\Tim\vbzip10.dll
2008-10-02 05:56 . 2008-10-02 05:56 <DIR> d--hs---- C:\Windows\VGlt
2008-10-02 05:56 . 2008-10-03 04:12 <DIR> d-------- C:\Windows\System32\zep
2008-10-02 05:56 . 2008-10-02 05:56 <DIR> d-------- C:\Windows\System32\tcon
2008-10-02 05:56 . 2008-10-02 05:56 <DIR> d-------- C:\Windows\System32\tb
2008-10-02 05:56 . 2008-10-02 05:56 <DIR> d-------- C:\Windows\System32\NP6
2008-10-02 05:56 . 2008-10-02 05:56 <DIR> d-------- C:\Windows\System32\EV02
2008-10-02 05:56 . 2008-10-02 05:56 <DIR> d-------- C:\Temp\xp34
2008-10-02 05:56 . 2008-10-25 19:38 <DIR> d-------- C:\Temp
2008-10-02 05:56 . 2008-10-03 00:54 46,080 --a------ C:\Users\Tim\index.exe
2008-10-02 05:56 . 2008-10-02 05:56 485 --a------ C:\Users\Tim\207.bat
2008-10-02 05:56 . 2008-10-02 05:56 71 --a------ C:\Users\Tim\5372.bat
2008-10-02 03:42 . 2008-07-31 10:40 509,448 --a------ C:\Windows\System32\XAudio2_2.dll
2008-10-02 03:42 . 2008-07-31 10:41 68,616 --a------ C:\Windows\System32\XAPOFX1_1.dll
2008-10-02 03:40 . 2008-10-02 03:40 <DIR> d-------- C:\Users\All Users\NVIDIA
2008-10-02 03:40 . 2008-10-02 03:40 <DIR> d-------- C:\ProgramData\NVIDIA
2008-10-02 03:39 . 2008-10-02 03:40 <DIR> d--h----- C:\Windows\msdownld.tmp
2008-10-02 03:23 . 2008-10-02 03:23 350,208 --a------ C:\Windows\System32\d3drm.dll
2008-10-01 21:46 . 2008-10-01 21:46 <DIR> d-------- C:\Program Files\SVKSystems
2008-10-01 03:54 . 2008-10-01 03:54 <DIR> d-------- C:\Program Files\PhoenixRC
2008-09-30 22:42 . 2008-09-30 22:42 <DIR> d-------- C:\Program Files\RealFlight G4 Demo
2008-09-30 22:42 . 2008-09-30 22:42 <DIR> d-------- C:\Program Files\Common Files\KnifeEdge
2008-09-30 22:24 . 2006-11-29 13:06 3,426,072 --a------ C:\Windows\System32\d3dx9_32.dll
2008-09-30 22:24 . 2006-09-28 16:05 2,414,360 --a------ C:\Windows\System32\d3dx9_31.dll
2008-09-30 22:24 . 2006-11-29 13:06 440,080 --a------ C:\Windows\System32\d3dx10.dll
2008-09-30 22:24 . 2006-12-08 12:02 251,672 --a------ C:\Windows\System32\xactengine2_5.dll
2008-09-30 22:24 . 2006-09-28 16:05 237,848 --a------ C:\Windows\System32\xactengine2_4.dll
2008-09-30 22:24 . 2006-07-28 09:30 236,824 --a------ C:\Windows\System32\xactengine2_3.dll
2008-09-30 22:24 . 2006-07-28 09:30 62,744 --a------ C:\Windows\System32\xinput1_2.dll
2008-09-30 22:23 . 2005-05-26 15:34 2,297,552 --a------ C:\Windows\System32\d3dx9_26.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-26 00:20 12,931 ----a-w C:\Users\Tim\AppData\Roaming\nvModes.dat
2008-10-22 11:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-15 13:06 --------- d-----w C:\ProgramData\Microsoft Help
2008-10-02 11:05 --------- d-----w C:\Program Files\LimeWire
2008-09-17 00:20 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-09-15 04:25 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-09-10 21:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-27 20:54 --------- d-----w C:\ProgramData\FLEXnet
2008-08-27 20:37 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-07-31 15:41 238,088 ----a-w C:\Windows\System32\xactengine3_2.dll
2006-11-02 12:50 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-03 761946]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-01-13 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-01-13 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-01-13 81920]
"FunctionKeyCtrl"="C:\Program Files\Function Key Controller\FKC.exe" [2006-05-25 49152]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"InstaLAN"="C:\Program Files\Charter\InstaLAN\InstaLAN.exe" [2007-02-18 548864]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Windows Mobile-based device management"="C:\Windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 222208]
"AGRSMMSG"="AGRSMMSG.exe" [2006-02-15 C:\Windows\AGRSMMSG.exe]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-21 719664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-10 10:51 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E1A2FFBA-A8C3-48C4-BEDA-834B69B77595}"= UDP:C:\Program Files\Charter\InstaLAN\InstaLAN.exe:InstaLAN
"{78DB214D-024C-4C63-A02A-F03139799468}"= TCP:C:\Program Files\Charter\InstaLAN\InstaLAN.exe:InstaLAN
"{4F7D10A7-FDE9-4A51-9CB2-7C47CBFA5523}"= UDP:C:\Program Files\Charter\InstaLAN\InstaLAN.exe:InstaLAN
"{EE69B5D1-B9CF-45B2-945E-F300EFFE8EE9}"= TCP:C:\Program Files\Charter\InstaLAN\InstaLAN.exe:InstaLAN
"{4FB1CFEB-F04D-432B-84CC-D80DBBDBCFC7}"= UDP:C:\Program Files\Charter\InstaLAN\InstaLAN.exe:InstaLAN
"{1F7EF5D5-236A-49D1-AC5D-A3E2536E943A}"= TCP:C:\Program Files\Charter\InstaLAN\InstaLAN.exe:InstaLAN
"{459F49FB-ABB1-4673-9D28-30560CEDD330}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{5595A46F-7088-437D-9746-8F6362782068}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{0CB4BAB8-50DF-49A6-9190-8754D31C26A8}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{088BD455-8B38-44A8-9DE5-9C5CD361A8F0}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{471B242E-8D4D-4346-95F1-F7A7558A6422}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{99360883-81CF-4484-9E08-CF376DC878AE}C:\\program files\\limewire\\limewire 4.2.6 pro\\limewire.exe"= UDP:C:\program files\limewire\limewire 4.2.6 pro\limewire.exe:LimeWire
"UDP Query User{0B99D502-17B3-48AA-B918-01798D267D23}C:\\program files\\limewire\\limewire 4.2.6 pro\\limewire.exe"= TCP:C:\program files\limewire\limewire 4.2.6 pro\limewire.exe:LimeWire
"TCP Query User{13B6A2ED-1315-433D-89F4-06DF0BA5BAE9}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{EAA096D4-08C7-46AD-AF65-F8C2BD9A0740}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R3 AFGSp50;AFGSp50 NDIS Protocol Driver;C:\Windows\system32\Drivers\AFGSp50.sys [2007-02-08 27072]
R3 Airgo3P;Airgo Networks AGN300 True MIMO ™ Wireless Driver;C:\Windows\system32\DRIVERS\TMIMO31P.sys [2006-02-07 781824]
R3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2006-11-20 78128]
R3 btwavdt;Bluetooth AVDT Service;C:\Windows\system32\drivers\btwavdt.sys [2006-11-20 80688]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2006-11-20 16560]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 194048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b661a00-4b07-11dd-9997-000b6b77edf5}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1cb5d07-6844-11dd-b0c8-001641b2e7c4}]
\shell\AutoRun\command - E:\setupSNK.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MSServer - C:\Windows\system32\qoMgebAp.dll
ShellExecuteHooks-{108110EA-38DE-4317-837F-0548FC1B6C55} - C:\Windows\system32\qoMgebAp.dll
MSConfigStartUp-Host Process - C:\Users\Tim\svchost.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 -: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 -: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-25 19:47:15
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Users\Tim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R5QUUNMV\114[1]

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\Windows\System32\wbem\WMIADAP.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-10-25 19:51:28 - machine was rebooted [Tim]
ComboFix-quarantined-files.txt 2008-10-26 00:51:23

Pre-Run: 51,660,877,824 bytes free
Post-Run: 52,321,058,816 bytes free

195 --- E O F --- 2008-10-15 13:17:54

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 AM

Posted 26 October 2008 - 09:36 AM

Hello port55.

Run ComboFix with CFScript
We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    C:\Users\Tim\a.zip
    C:\Users\Tim\523.bat
    C:\Users\Tim\480.bat
    C:\Users\Tim\z.bat
    C:\Users\Tim\207.bat
    C:\Users\Tim\5372.bat
    
    Folder::
    C:\Users\Tim\'
    C:\Windows\System32\zep
    C:\Windows\System32\tcon
    C:\Windows\System32\tb
    C:\Windows\System32\NP6
    C:\Windows\System32\EV02
    C:\Temp\xp34
    
    Rootkit::
    C:\Users\Tim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R5QUUNMV\114[1]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Please post back with:
-the ComboFix log
-the Kaspersky log
-a new HijackThis log

How is your computer running now?

With Regards,
The Panda

#10 port55

port55
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 27 October 2008 - 07:35 PM

ComboFix 08-10-24.02 - Tim 2008-10-27 19:13:34.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1123 [GMT -5:00]
Running from: C:\Users\Tim\Desktop\ComboFix.exe
Command switches used :: C:\Users\Tim\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Users\Tim\207.bat
C:\Users\Tim\480.bat
C:\Users\Tim\523.bat
C:\Users\Tim\5372.bat
C:\Users\Tim\a.zip
C:\Users\Tim\z.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\xp34
C:\Temp\xp34\cPH.log
C:\Users\Tim\'
C:\Users\Tim\207.bat
C:\Users\Tim\480.bat
C:\Users\Tim\523.bat
C:\Users\Tim\5372.bat
C:\Users\Tim\a.zip
C:\Users\Tim\z.bat
C:\Windows\System32\EV02
C:\Windows\System32\EV02\EV022328.exe
C:\Windows\System32\NP6
C:\Windows\System32\tb
C:\Windows\System32\tb\BHW44V39.exe
C:\Windows\System32\tcon
C:\Windows\System32\zep

.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-28 )))))))))))))))))))))))))))))))
.

2008-10-22 06:46 . 2008-10-22 06:46 <DIR> d-------- C:\Program Files\MC2
2008-10-22 06:28 . 2008-10-22 06:40 <DIR> d-------- C:\Users\Tim\AppData\Roaming\GetRightToGo
2008-10-03 08:28 . 2008-10-03 22:11 <DIR> d-------- C:\Users\Tim\.housecall6.6
2008-10-03 05:17 . 2008-10-05 20:53 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-10-03 05:17 . 2008-10-05 20:53 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-10-03 05:17 . 2008-10-05 20:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-03 01:20 . 2008-10-03 01:22 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-10-03 01:20 . 2008-10-03 01:22 <DIR> d-------- C:\ProgramData\Lavasoft
2008-10-03 01:20 . 2008-10-03 01:20 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-03 01:18 . 2008-10-03 01:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-02 21:46 . 2008-10-02 21:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-02 06:00 . 2008-10-03 00:58 147,456 --a------ C:\Users\Tim\vbzip10.dll
2008-10-02 05:56 . 2008-10-02 05:56 <DIR> d--hs---- C:\Windows\VGlt
2008-10-02 05:56 . 2008-10-27 19:14 <DIR> d-------- C:\Temp
2008-10-02 05:56 . 2008-10-03 00:54 46,080 --a------ C:\Users\Tim\index.exe
2008-10-02 03:42 . 2008-07-31 10:40 509,448 --a------ C:\Windows\System32\XAudio2_2.dll
2008-10-02 03:42 . 2008-07-31 10:41 68,616 --a------ C:\Windows\System32\XAPOFX1_1.dll
2008-10-02 03:40 . 2008-10-02 03:40 <DIR> d-------- C:\Users\All Users\NVIDIA
2008-10-02 03:40 . 2008-10-02 03:40 <DIR> d-------- C:\ProgramData\NVIDIA
2008-10-02 03:39 . 2008-10-02 03:40 <DIR> d--h----- C:\Windows\msdownld.tmp
2008-10-02 03:23 . 2008-10-02 03:23 350,208 --a------ C:\Windows\System32\d3drm.dll
2008-10-01 21:46 . 2008-10-01 21:46 <DIR> d-------- C:\Program Files\SVKSystems
2008-10-01 03:54 . 2008-10-01 03:54 <DIR> d-------- C:\Program Files\PhoenixRC
2008-09-30 22:42 . 2008-09-30 22:42 <DIR> d-------- C:\Program Files\RealFlight G4 Demo
2008-09-30 22:42 . 2008-09-30 22:42 <DIR> d-------- C:\Program Files\Common Files\KnifeEdge
2008-09-30 22:24 . 2006-11-29 13:06 3,426,072 --a------ C:\Windows\System32\d3dx9_32.dll
2008-09-30 22:24 . 2006-09-28 16:05 2,414,360 --a------ C:\Windows\System32\d3dx9_31.dll
2008-09-30 22:24 . 2006-11-29 13:06 440,080 --a------ C:\Windows\System32\d3dx10.dll
2008-09-30 22:24 . 2006-12-08 12:02 251,672 --a------ C:\Windows\System32\xactengine2_5.dll
2008-09-30 22:24 . 2006-09-28 16:05 237,848 --a------ C:\Windows\System32\xactengine2_4.dll
2008-09-30 22:24 . 2006-07-28 09:30 236,824 --a------ C:\Windows\System32\xactengine2_3.dll
2008-09-30 22:24 . 2006-07-28 09:30 62,744 --a------ C:\Windows\System32\xinput1_2.dll
2008-09-30 22:23 . 2005-05-26 15:34 2,297,552 --a------ C:\Windows\System32\d3dx9_26.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-28 00:07 12,931 ----a-w C:\Users\Tim\AppData\Roaming\nvModes.dat
2008-10-22 11:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-15 13:06 --------- d-----w C:\ProgramData\Microsoft Help
2008-10-02 11:05 --------- d-----w C:\Program Files\LimeWire
2008-09-17 00:20 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-09-15 04:25 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-09-10 21:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-31 15:41 238,088 ----a-w C:\Windows\System32\xactengine3_2.dll
2006-11-02 12:50 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((( snapshot@2008-10-25_19.50.29.27 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-26 00:42:35 2,060 ----a-w C:\Windows\bthservsdp.dat
+ 2008-10-28 00:17:54 2,060 ----a-w C:\Windows\bthservsdp.dat
+ 2008-10-28 00:13:06 5,541,888 ----a-w C:\Windows\ERDNT\Hiv-backup\SCHEMA.DAT
- 2008-10-26 00:43:51 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-10-28 00:19:05 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-10-26 00:43:51 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-10-28 00:19:05 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-10-26 00:46:26 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-10-28 00:21:50 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-10-26 00:46:26 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-10-28 00:21:50 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-10-26 00:30:10 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-10-28 00:11:34 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-10-26 00:30:10 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-28 00:11:34 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-10-26 00:30:10 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-10-28 00:11:34 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-10-26 00:37:50 121,546 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-10-26 04:21:11 121,546 ----a-w C:\Windows\System32\perfc009.dat
- 2008-10-26 00:37:50 665,356 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-10-26 04:21:11 665,356 ----a-w C:\Windows\System32\perfh009.dat
- 2008-10-26 00:43:43 5,767,168 ----a-w C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-10-28 00:18:58 5,767,168 ----a-w C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2008-10-26 00:46:13 7,010 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-953985276-4209345529-98313122-1000_UserData.bin
+ 2008-10-26 04:19:27 7,010 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-953985276-4209345529-98313122-1000_UserData.bin
- 2008-10-26 00:46:13 51,472 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-10-26 04:19:27 51,472 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-10-26 00:20:03 245,632 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-10-27 21:26:38 245,994 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-03 761946]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-01-13 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-01-13 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-01-13 81920]
"FunctionKeyCtrl"="C:\Program Files\Function Key Controller\FKC.exe" [2006-05-25 49152]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"InstaLAN"="C:\Program Files\Charter\InstaLAN\InstaLAN.exe" [2007-02-18 548864]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Windows Mobile-based device management"="C:\Windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 222208]
"AGRSMMSG"="AGRSMMSG.exe" [2006-02-15 C:\Windows\AGRSMMSG.exe]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-21 719664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-10 10:51 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E1A2FFBA-A8C3-48C4-BEDA-834B69B77595}"= UDP:C:\Program Files\Charter\InstaLAN\InstaLAN.exe:InstaLAN
"{78DB214D-024C-4C63-A02A-F03139799468}"= TCP:C:\Program Files\Charter\InstaLAN\InstaLAN.exe:InstaLAN
"{4F7D10A7-FDE9-4A51-9CB2-7C47CBFA5523}"= UDP:C:\Program Files\Charter\InstaLAN\InstaLAN.exe:InstaLAN
"{EE69B5D1-B9CF-45B2-945E-F300EFFE8EE9}"= TCP:C:\Program Files\Charter\InstaLAN\InstaLAN.exe:InstaLAN
"{4FB1CFEB-F04D-432B-84CC-D80DBBDBCFC7}"= UDP:C:\Program Files\Charter\InstaLAN\InstaLAN.exe:InstaLAN
"{1F7EF5D5-236A-49D1-AC5D-A3E2536E943A}"= TCP:C:\Program Files\Charter\InstaLAN\InstaLAN.exe:InstaLAN
"{459F49FB-ABB1-4673-9D28-30560CEDD330}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{5595A46F-7088-437D-9746-8F6362782068}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{0CB4BAB8-50DF-49A6-9190-8754D31C26A8}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{088BD455-8B38-44A8-9DE5-9C5CD361A8F0}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{471B242E-8D4D-4346-95F1-F7A7558A6422}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{99360883-81CF-4484-9E08-CF376DC878AE}C:\\program files\\limewire\\limewire 4.2.6 pro\\limewire.exe"= UDP:C:\program files\limewire\limewire 4.2.6 pro\limewire.exe:LimeWire
"UDP Query User{0B99D502-17B3-48AA-B918-01798D267D23}C:\\program files\\limewire\\limewire 4.2.6 pro\\limewire.exe"= TCP:C:\program files\limewire\limewire 4.2.6 pro\limewire.exe:LimeWire
"TCP Query User{13B6A2ED-1315-433D-89F4-06DF0BA5BAE9}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{EAA096D4-08C7-46AD-AF65-F8C2BD9A0740}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R3 AFGSp50;AFGSp50 NDIS Protocol Driver;C:\Windows\system32\Drivers\AFGSp50.sys [2007-02-08 27072]
R3 Airgo3P;Airgo Networks AGN300 True MIMO ™ Wireless Driver;C:\Windows\system32\DRIVERS\TMIMO31P.sys [2006-02-07 781824]
R3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2006-11-20 78128]
R3 btwavdt;Bluetooth AVDT Service;C:\Windows\system32\drivers\btwavdt.sys [2006-11-20 80688]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2006-11-20 16560]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 194048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b661a00-4b07-11dd-9997-000b6b77edf5}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1cb5d07-6844-11dd-b0c8-001641b2e7c4}]
\shell\AutoRun\command - E:\setupSNK.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-27 19:21:56
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Windows\TEMP\TMP000000290401CF4654A31C42 524288 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\Windows\System32\wermgr.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-10-27 19:27:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-28 00:26:50
ComboFix2.txt 2008-10-26 00:51:29

Pre-Run: 51,845,283,840 bytes free
Post-Run: 51,829,993,472 bytes free

213 --- E O F --- 2008-10-15 13:17:54

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 AM

Posted 27 October 2008 - 07:49 PM

Hello.

Please complete the Kaspersky scan and post a new HijackThis log :thumbsup: .

With Regards,
The Panda

#12 port55

port55
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 27 October 2008 - 10:44 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, October 27, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, October 27, 2008 23:28:48
Records in database: 1352171
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 157703
Threat name: 5
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 02:42:38


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Users\Tim\AppData\Local\Temp\tuVnnmkl.dll.vir Infected: Trojan.Win32.Monder.wai 1
C:\Qoobox\Quarantine\C\Windows\System32\EV02\EV022328.exe.vir Infected: Trojan-Downloader.Win32.VB.hzp 1
C:\Qoobox\Quarantine\C\Windows\System32\mlJApqNH.dll.vir Infected: Trojan.Win32.Monder.qnu 1
C:\Qoobox\Quarantine\C\Windows\System32\qoMgebAp.dll.vir Infected: Trojan.Win32.Monder.qnu 1
C:\Qoobox\Quarantine\C\Windows\System32\tb\BHW44V39.exe.vir Infected: Trojan-Clicker.Win32.Agent.dvi 1
C:\Users\Tim\.housecall6.6\Quarantine\a.zip.bac_a08956 Infected: Trojan-Downloader.Win32.VB.dck 1
C:\Users\Tim\.housecall6.6\Quarantine\Setup.exe.bac_a08956 Infected: Trojan-Downloader.Win32.VB.dck 1

The selected area was scanned.

_______________________________________________________________________________-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:48 PM, on 10/27/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\AGRSMMSG.exe
C:\Program Files\Function Key Controller\FKC.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Charter\InstaLAN\InstaLAN.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FunctionKeyCtrl] C:\Program Files\Function Key Controller\FKC.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [InstaLAN] "C:\Program Files\Charter\InstaLAN\InstaLAN.exe" startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdcBase.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 6095 bytes

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 AM

Posted 28 October 2008 - 07:22 AM

Hello port55.

Looks good to me. Please delete everything in this folder:
C:\Users\Tim\.housecall6.6\Quarantine

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hide file extensions and hidden/system files.
  • Clear System Restore cache and creates new restore point.
Run Cleanup! with OTViewIt
Let's clear out the tools we've used.
  • Double click the OTViewIt.exe icon on your desktop to start the program.
  • Click CleanUp!.
  • A pop-up box will appear asking "Begin Removal Process?". Click Yes.
  • Click Yes when asked to reboot.
Install Antivirus
An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a free anti-virus program from one of the trusted venders below:After installing, update the database, run a full system scan and remove any items found.

Set New System Restore Point
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restor.
  • Choose the radio button marked "Create a Restore Point" on the first screen then click Next. Give the R.P. a name then click Create. The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type:
    cleanmgr
  • Click OK.
  • Click the More Options Tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please also have a look at the following links, giving some advice and suggestions for preventing future infections: Visit the Windows Update Site regularly.
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
    Note that it will download them for you, but you still have to actually click install.
    If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates separately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

For general slowness problems, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#14 port55

port55
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 29 October 2008 - 09:07 PM

thank you very much for helping me. my computer is running much better. hopefully it will stay that way. where can i make a donation? i am a broke college student so it wont be very much but i would like to chow my appreciation for you taking your time to halp me out. thanks again - Tim

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 AM

Posted 30 October 2008 - 07:09 AM

Hello Tim.

You are very welcome :thumbsup: .

I don't accept donations personally, nor does BC. However, if you wish to show your appreciation, consider making a donation to MalwareRemoval. This site, like BC, helps people with their malware problems. In addition, the staff there offer training programs for malware removal. I was trained at a similar school at BC.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users