Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Troj/virtum-gen


  • This topic is locked This topic is locked
13 replies to this topic

#1 Tugger

Tugger

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 13 October 2008 - 02:50 PM

Greetings!

I've been having some problems removing Troj/virtum-gen.
I have tried everything in my power, Sophos can't get rid of it, neither Spybot or Ad-Aware or any other of your recommended programs in your Preparation Guide.

According to Sophos, this is my infected file: C:\WINDOWS\system32\pWHQYcfe.ini

Thank's in advance.

Here is my HJT-log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:46:00, on 2008-10-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\dpt\dptservice.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WINZIP\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVMain.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inside.afconsult.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inside.afconsult.com
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: 1LOGIN.CMD (User 'Default user')
O4 - .DEFAULT User Startup: info.cmd (User 'Default user')
O4 - Startup: info.cmd
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\PTPNDFLS\PTPNDFLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WINZIP\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://inside.afconsult.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = af.se
O17 - HKLM\Software\..\Telephony: DomainName = af.se
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = af.se
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = af.se
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = af.se
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL assdbw.dll ssbvnl.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DPT Client (DPT) - Unknown owner - C:\WINDOWS\system32\dpt\dptservice.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe

--
End of file - 7547 bytes

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:38 AM

Posted 19 October 2008 - 09:32 PM

Hello, Tugger.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)

I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.

If you do not still need help, please let me know, so that I can move on to other users who still need help.

Please take note of the following:
  • While a HJT Team member is working with you, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please reply using the Posted Image button in the lower left hand corner of your screen.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" :).
If you would still like help, please follow the instructions below:

We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • OTViewIt.txt
  • Extra.txt
  • Kaspersky's Log


Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Tugger

Tugger
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 21 October 2008 - 09:55 AM

Here are the logs:

OTviewIt.txt:

OTViewIt logfile created on: 2008-10-21 16:49:16 - Run 4
OTViewIt by OldTimer - Version 1.0.17.0 Folder = C:\Documents and Settings\A403683\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 0000041D | Country: Sweden | Language: SVE | Date Format: yyyy-MM-dd

1014,05 Mb Total Physical Memory | 349,79 Mb Available Physical Memory | 34,49% Memory free
2,38 Gb Paging File | 0,48 Gb Available in Paging File | 20,27% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55,80 Gb Total Space | 28,97 Gb Free Space | 51,92% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AFSEGBGPC02028
Current User Name: A403683
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 90 Days

========== Processes ==========

[2008-01-03 08:56:20 | 00,098,304 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos

Anti-Virus\SavService.exe
[2008-10-11 19:15:08 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
[2008-09-10 16:50:26 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
[2008-08-29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
[2008-04-08 12:08:00 | 00,147,456 | ---- | M] () -- C:\WINDOWS\system32\dpt\dptservice.exe
[2006-03-30 17:23:56 | 00,216,576 | ---- | M] (DameWare Development LLC) -- C:\WINDOWS\system32\DWRCS.EXE
[2003-06-20 01:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft

Shared\VS7DEBUG\MDM.EXE
[2004-11-06 01:00:00 | 00,196,608 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New

Boundary\PrismXL\PRISMXL.SYS
[2008-01-03 08:55:01 | 00,069,632 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos

Anti-Virus\SAVAdminService.exe
[2008-01-03 08:53:56 | 00,266,240 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Remote Management

System\ManagementAgentNT.exe
[2008-06-13 10:11:33 | 00,172,032 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
[2008-01-03 08:53:42 | 00,790,528 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Remote Management

System\RouterNT.exe
[2005-01-28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
[2004-08-04 01:56:56 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe
[2006-03-24 18:30:44 | 00,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
[2006-03-30 17:24:20 | 00,108,544 | ---- | M] (DameWare Development) -- C:\WINDOWS\system32\DWRCST.EXE
[2007-01-13 17:47:04 | 00,163,840 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
[2007-01-13 17:46:36 | 00,135,168 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
[2005-12-09 20:29:52 | 00,049,152 | ---- | M] (CyberLink Corp.) -- C:\Program

Files\CyberLink\PowerDVD\DVDLauncher.exe
[2007-01-13 17:46:24 | 00,241,664 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
[2005-09-08 05:20:00 | 00,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
[2004-07-27 16:50:18 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe
[2006-02-19 02:41:10 | 00,049,152 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\HP

Software Update\hpwuSchd2.exe
[2008-06-10 04:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program

Files\Java\jre1.6.0_07\bin\jusched.exe
[2008-09-10 17:40:06 | 00,289,576 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
[2008-08-08 14:11:12 | 00,490,952 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\daemon.exe
[2008-09-16 12:16:08 | 01,833,296 | RHS- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
[2008-01-03 08:56:55 | 00,245,760 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\AutoUpdate\ALMon.exe
[2006-02-19 04:21:22 | 00,288,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program

Files\HP\Digital Imaging\bin\hpqtra08.exe
[2003-02-11 09:10:00 | 00,106,560 | ---- | M] (WinZip Computing, Inc.) -- C:\Program Files\WINZIP\WZQKPICK.EXE
[2008-09-10 17:39:48 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
[2006-02-19 05:24:52 | 00,239,320 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program

Files\HP\Digital Imaging\bin\hpqste08.exe
[2008-09-30 00:39:29 | 00,307,712 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2008-10-21 10:16:01 | 00,139,264 | ---- | M] (Kaspersky Lab.) -- C:\Documents and Settings\A403683\Local

Settings\Temp\jkos-A403683\binaries\ScanningProcess.exe
[2008-10-21 10:16:01 | 00,139,264 | ---- | M] (Kaspersky Lab.) -- C:\Documents and Settings\A403683\Local

Settings\Temp\jkos-A403683\binaries\ScanningProcess.exe
[2008-10-20 22:12:30 | 00,421,888 | ---- | M] (OldTimer Tools) -- C:\Documents and

Settings\A403683\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008-10-11 19:15:08 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe --

(aawservice [Auto | Running])
[2008-09-10 16:50:26 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
[2005-09-23 07:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) --

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2008-08-29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour

Service [Auto | Running])
[2005-09-23 07:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) --

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2008-04-08 12:08:00 | 00,147,456 | ---- | M] () -- C:\WINDOWS\system32\dpt\dptservice.exe -- (DPT [Auto | Running])
[2006-03-30 17:23:56 | 00,216,576 | ---- | M] (DameWare Development LLC) -- C:\WINDOWS\system32\DWRCS.EXE -- (DWMRCS

[Auto | Running])
[2008-09-10 17:39:48 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod

Service [On_Demand | Running])
[2003-06-20 01:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft

Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])
[2003-07-28 14:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft

Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007-08-09 09:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto |

Stopped])
[2004-11-06 01:00:00 | 00,196,608 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New

Boundary\PrismXL\PRISMXL.SYS -- (PrismXL [Auto | Running])
[2008-01-03 08:55:01 | 00,069,632 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos

Anti-Virus\SAVAdminService.exe -- (SAVAdminService [Unknown | Running])
[2008-01-03 08:56:20 | 00,098,304 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos

Anti-Virus\SavService.exe -- (SAVService [Unknown | Running])
[2008-01-03 08:53:56 | 00,266,240 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Remote Management

System\ManagementAgentNT.exe -- (Sophos Agent [Auto | Running])
[2008-06-13 10:11:33 | 00,172,032 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\AutoUpdate\ALsvc.exe --

(Sophos AutoUpdate Service [Auto | Running])
[2008-01-03 08:53:42 | 00,790,528 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Remote Management

System\RouterNT.exe -- (Sophos Message Router [Auto | Running])
[2005-01-28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf

[Auto | Running])
[2007-01-19 12:54:14 | 00,097,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\usnsvc.exe

-- (usnjsvc [On_Demand | Stopped])
[2005-10-06 18:12:30 | 00,855,552 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Connect

2\wmccds.exe -- (WMConnectCDS [On_Demand | Stopped])

========== Driver Services ==========

[2006-10-03 13:15:22 | 00,158,208 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\drivers\b57xp32.sys --

(b57w2k [On_Demand | Running])
[2004-08-04 01:10:40 | 00,017,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\BthEnum.sys --

(BthEnum [On_Demand | Running])
[2004-08-03 23:10:40 | 00,038,016 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\bthmodem.sys --

(BTHMODEM [On_Demand | Running])
[2004-08-04 00:58:40 | 00,100,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\bthpan.sys --

(BthPan [On_Demand | Stopped])
[2004-08-04 01:10:38 | 00,274,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\bthport.sys --

(BTHPORT [On_Demand | Stopped])
[2004-08-04 01:10:36 | 00,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\BTHUSB.SYS --

(BTHUSB [On_Demand | Running])
[2005-09-08 05:20:00 | 00,025,628 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM

[Auto | Running])
[2005-08-25 12:16:52 | 00,005,628 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS --

(DLACDBHM [System | Running])
[2005-09-08 05:20:00 | 00,002,496 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN

[Auto | Running])
[2005-09-08 05:20:00 | 00,086,524 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M

[Auto | Running])
[2005-09-08 05:20:00 | 00,014,684 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM

[Auto | Running])
[2005-09-08 05:20:00 | 00,006,364 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM

[Auto | Running])
[2005-08-25 12:16:16 | 00,022,684 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS --

(DLARTL_N [System | Running])
[2005-09-08 05:20:00 | 00,094,332 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM

[Auto | Running])
[2005-09-08 05:20:00 | 00,087,036 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M

[Auto | Running])
[2005-09-12 03:30:00 | 00,089,264 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\DRVMCDB.SYS --

(DRVMCDB [Boot | Running])
[2005-08-12 05:20:00 | 00,040,544 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS --

(DRVNDDM [Auto | Running])
[2008-04-17 13:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys --

(GEARAspiWDM [On_Demand | Running])
[2006-11-21 23:05:48 | 00,061,312 | ---- | M] (O2Micro) -- C:\WINDOWS\system32\drivers\oz776.sys -- (guardian2

[On_Demand | Running])
[2005-01-07 17:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) --

C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2004-08-03 23:10:38 | 00,025,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\hidbth.sys --

(HidBth [On_Demand | Running])
[2006-04-12 12:04:39 | 00,049,664 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412

[On_Demand | Stopped])
[2006-04-12 12:04:39 | 00,016,496 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12

[On_Demand | Stopped])
[2006-04-12 12:04:39 | 00,021,568 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12

[On_Demand | Stopped])
[2005-12-01 01:40:56 | 00,936,960 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSX_DPV.sys --

(HSF_DPV [On_Demand | Running])
[2005-12-01 01:40:12 | 00,192,512 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys

-- (HSXHWAZL [On_Demand | Running])
[2007-01-13 18:33:18 | 05,672,032 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\igxpmp32.sys --

(ialm [On_Demand | Running])
[2004-08-03 22:58:36 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys --

(kbdhid [System | Stopped])
[2005-10-04 23:57:08 | 00,012,544 | ---- | M] (Conexant) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk

[Auto | Running])
[2006-10-17 12:55:28 | 01,711,104 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\NETw3x32.sys --

(NETw3x32 [On_Demand | Stopped])
[2001-08-23 15:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) --

C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2005-01-26 02:03:00 | 00,020,576 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys --

(PxHelp20 [Boot | Running])
[2004-08-04 01:10:40 | 00,059,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\rfcomm.sys --

(RFCOMM [On_Demand | Running])
[2007-04-24 09:33:34 | 00,083,336 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s125bus.sys --

(s125bus [On_Demand | Stopped])
[2007-04-24 09:33:42 | 00,015,112 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s125mdfl.sys --

(s125mdfl [On_Demand | Stopped])
[2007-04-24 09:33:44 | 00,108,680 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s125mdm.sys --

(s125mdm [On_Demand | Stopped])
[2007-04-24 09:33:46 | 00,100,488 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s125mgmt.sys --

(s125mgmt [On_Demand | Stopped])
[2008-01-03 08:55:48 | 00,101,120 | ---- | M] (Sophos Plc) -- C:\WINDOWS\system32\drivers\savonaccesscontrol.sys --

(SAVOnAccessControl [System | Running])
[2008-01-03 08:55:38 | 00,033,408 | ---- | M] (Sophos Plc) -- C:\WINDOWS\system32\drivers\savonaccessfilter.sys --

(SAVOnAccessFilter [System | Running])
[2004-08-04 02:05:44 | 00,067,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\sdbus.sys --

(sdbus [On_Demand | Running])
[2007-06-09 09:32:43 | 00,011,973 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision

Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [Auto | Running])
[2001-08-17 12:10:28 | 00,035,913 | ---- | M] (SMC) -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA

[On_Demand | Running])
[2008-09-28 23:11:57 | 00,717,296 | ---- | M] () -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd [Boot | Running])
[2006-03-24 18:34:30 | 01,156,648 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA

[On_Demand | Running])
[2008-01-15 03:39:58 | 00,030,464 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL

[On_Demand | Stopped])
[2005-12-01 01:40:08 | 00,669,696 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys

-- (winachsf [On_Demand | Running])
[2004-08-04 01:07:42 | 00,008,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wmiacpi.sys --

(WmiAcpi [System | Running])
[2008-06-13 19:48:50 | 00,083,344 | ---- | M] (MCCI) -- C:\WINDOWS\system32\drivers\z530obex.sys -- (z530obex

[On_Demand | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://inside.afconsult.com
"Default_Search_URL"=http://www.google.com/ie
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Default_Search_URL"=http://www.google.com/ie
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.google.com
"Start Page"=http://inside.afconsult.com/

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://www.google.com/search?q=%s
"provider"=gogl

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://inside.afconsult.com/

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://inside.afconsult.com/

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://inside.afconsult.com/

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://inside.afconsult.com/

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-1708537768-682003330-725345543-66546\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.google.com
"Start Page"=http://inside.afconsult.com/

[HKEY_USERS\S-1-5-21-1708537768-682003330-725345543-66546\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com/ie

[HKEY_USERS\S-1-5-21-1708537768-682003330-725345543-66546\Software\Microsoft\Internet Explorer\SearchURL]
""=http://www.google.com/search?q=%s
"provider"=gogl

[HKEY_USERS\S-1-5-21-1708537768-682003330-725345543-66546\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1708537768-682003330-725345543-66546\Software\Microsoft\Windows\CurrentVersion\Internet

Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (266048 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 123topsearch.com
127.0.0.1 www.123topsearch.com
127.0.0.1 132.com
127.0.0.1 www.132.com
127.0.0.1 www.136136.net
127.0.0.1 136136.net
9216 more lines...

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{1913F913-DDEA-4C32-BC76-D115B9222A19} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not

found
{344F39DC-EA87-3882-879E-D8B295DEDAE4} (HKLM) -- C:\WINDOWS\system32\xwr47437.dll (Microsoft Corporation)
{39213986-9AA4-448D-83FD-A44379D425DC} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not

found
{3C3D6A39-B167-4506-A377-E262402A29F5} (HKLM) -- C:\WINDOWS\system32\ddcAsRhH.dll ()
{3DADE00B-F138-40DB-9C91-AF3F16BE5C3A} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not

found
{53707962-6F74-2D53-2644-206D7942484F} (HKLM) -- C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer

Networking Limited)
{5954EC04-4E11-4223-B7DC-67A4F22873C7} (HKLM) -- C:\WINDOWS\system32\byXqroOe.dll ()
{73646E25-DA77-49BE-9C2F-D51EDABA82F5} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not

found
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems,

Inc.)
{7A65DA76-1528-4988-BBD7-20F35AE3A4C7} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not

found
{7ADC7466-E244-4C02-9BC8-19A67B3E9D7B} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not

found
{9030D464-4C02-4ABF-8ECC-5164760863C6} (HKLM) -- C:\Program Files\Common Files\Microsoft Shared\Windows

Live\WindowsLiveLogin.dll (Microsoft Corporation)
{AAB1F8EF-BD11-457E-BAA5-8C910ECD7921} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not

found
{C88267EF-7DE8-4EE8-8E10-A039CD892F90} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not

found

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{32099AAC-C132-4136-9E9A-4E364A424E17}" (HKLM) -- C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not

found

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{32099AAC-C132-4136-9E9A-4E364A424E17}" (HKLM) -- C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()

[HKEY_USERS\S-1-5-21-1708537768-682003330-725345543-66546\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not

found

[HKEY_USERS\S-1-5-21-1708537768-682003330-725345543-66546\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{32099AAC-C132-4136-9E9A-4E364A424E17}" (HKLM) -- C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent (Microsoft Corporation)
"DLA"=C:\WINDOWS\System32\DLA\DLACTRLW.EXE (Sonic Solutions)
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" (CyberLink Corp.)
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Development Company,

L.P.)
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup (InstallShield Software Corporation)
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (InstallShield Software

Corporation)
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
"Persistence"=C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
"SigmatelSysTrayApp"=stsystra.exe (SigmaTel, Inc.)
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (Sun Microsystems, Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun (DT Soft Ltd)
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)

[HKEY_USERS\S-1-5-21-1708537768-682003330-725345543-66546\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun (DT Soft Ltd)
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)

========== (O4) Startup Folders ==========

[2005-12-13 16:22:52 | 00,000,105 | ---- | M] () -- C:\Documents and Settings\A403683\Start

Menu\Programs\Startup\info.cmd
[2008-04-23 03:38:16 | 00,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All

Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
[2008-01-03 08:56:55 | 00,245,760 | ---- | M] (Sophos Plc) -- C:\Documents and Settings\All Users\Start

Menu\Programs\Startup\AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
[2006-02-19 04:21:22 | 00,288,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Documents and

Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital

Imaging\bin\hpqtra08.exe
[2004-11-06 01:00:00 | 01,695,744 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Documents and Settings\All

Users\Start Menu\Programs\Startup\Install Pending Files.LNK = C:\Program Files\PTPNDFLS\PTPNDFLS.EXE
[2003-02-11 09:10:00 | 00,106,560 | ---- | M] (WinZip Computing, Inc.) -- C:\Documents and Settings\All Users\Start

Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WINZIP\WZQKPICK.EXE
[2007-01-24 11:18:06 | 00,000,326 | ---- | M] () -- C:\Documents and Settings\Default User\Start

Menu\Programs\Startup\1LOGIN.CMD
[2005-12-13 16:22:52 | 00,000,105 | ---- | M] () -- C:\Documents and Settings\Default User\Start

Menu\Programs\Startup\info.cmd
[2005-12-13 16:22:52 | 00,000,105 | ---- | M] () -- C:\Documents and Settings\hkmonitor8\Start

Menu\Programs\Startup\info.cmd

========== (O6 & O7) Current Version Policies ==========

[HKEY_CURRENT_USER\Software\policies\microsoft\internet explorer\New Windows]
"ListBox_Support_Allow"=1

[HKEY_CURRENT_USER\Software\policies\microsoft\internet explorer\New Windows\Allow]
"*.afnrkus1.af.se"=*.afnrkus1.af.se
"*.afnrkws2.af.se"=*.afnrkws2.af.se
"*.afsthfsv1.af.se"=*.afsthfsv1.af.se
"*.afsthfsv2.af.se"=*.afsthfsv2.af.se
"*.afsthfsv3.af.se"=*.afsthfsv3.af.se
"*.afsthfsv4.af.se"=*.afsthfsv4.af.se
"*.afsthic1.af.se"=*.afsthic1.af.se
"*.afsthic2.af.se"=*.afsthic2.af.se
"*.afsthic3.af.se"=*.afsthic3.af.se
"*.afsthic4.af.se"=*.afsthic4.af.se
"*.afsthic5.af.se"=*.afsthic5.af.se
"*.afsthic6.af.se"=*.afsthic6.af.se
"*.afsthic7.af.se"=*.afsthic7.af.se
"*.afsthic8.af.se"=*.afsthic8.af.se
"*.afsthic9.af.se"=*.afsthic9.af.se
"*.afsthks1.af.se"=*.afsthks1.af.se
"*.afsthks2.af.se"=*.afsthks2.af.se
"*.afsthws14.af.se"=*.afsthws14.af.se
"*.atifs.com/"=*.atifs.com/
"*.genesys.com"=*.genesys.com
"*.hr.afconsult.com"=*.hr.afconsult.com
"*.im.af.se"=*.im.af.se
"*.im.afconsult.com"=*.im.afconsult.com
"*.inside.af.se"=*.inside.af.se
"*.inside.afconsult.com"=*.inside.afconsult.com
"*.km.afconsult.com"=*.km.afconsult.com
"*.lkabprjekt.se"=*.lkabprjekt.se
"*.lonespec.af.se"=*.lonespec.af.se
"*.lonespec.afconsult.com"=*.lonespec.afconsult.com
"*.portal.solberg.se"=*.portal.solberg.se
"*.pxwebb.af.se"=*.pxwebb.af.se
"*.stugbok.af.se"=*.stugbok.af.se

[HKEY_USERS\S-1-5-21-1708537768-682003330-725345543-66546\Software\policies\microsoft\internet explorer\New Windows]
"ListBox_Support_Allow"=1

[HKEY_USERS\S-1-5-21-1708537768-682003330-725345543-66546\Software\policies\microsoft\internet explorer\New

Windows\Allow]
"*.afnrkus1.af.se"=*.afnrkus1.af.se
"*.afnrkws2.af.se"=*.afnrkws2.af.se
"*.afsthfsv1.af.se"=*.afsthfsv1.af.se
"*.afsthfsv2.af.se"=*.afsthfsv2.af.se
"*.afsthfsv3.af.se"=*.afsthfsv3.af.se
"*.afsthfsv4.af.se"=*.afsthfsv4.af.se
"*.afsthic1.af.se"=*.afsthic1.af.se
"*.afsthic2.af.se"=*.afsthic2.af.se
"*.afsthic3.af.se"=*.afsthic3.af.se
"*.afsthic4.af.se"=*.afsthic4.af.se
"*.afsthic5.af.se"=*.afsthic5.af.se
"*.afsthic6.af.se"=*.afsthic6.af.se
"*.afsthic7.af.se"=*.afsthic7.af.se
"*.afsthic8.af.se"=*.afsthic8.af.se
"*.afsthic9.af.se"=*.afsthic9.af.se
"*.afsthks1.af.se"=*.afsthks1.af.se
"*.afsthks2.af.se"=*.afsthks2.af.se
"*.afsthws14.af.se"=*.afsthws14.af.se
"*.atifs.com/"=*.atifs.com/
"*.genesys.com"=*.genesys.com
"*.hr.afconsult.com"=*.hr.afconsult.com
"*.im.af.se"=*.im.af.se
"*.im.afconsult.com"=*.im.afconsult.com
"*.inside.af.se"=*.inside.af.se
"*.inside.afconsult.com"=*.inside.afconsult.com
"*.km.afconsult.com"=*.km.afconsult.com
"*.lkabprjekt.se"=*.lkabprjekt.se
"*.lonespec.af.se"=*.lonespec.af.se
"*.lonespec.afconsult.com"=*.lonespec.afconsult.com
"*.portal.solberg.se"=*.portal.solberg.se
"*.pxwebb.af.se"=*.pxwebb.af.se
"*.stugbok.af.se"=*.stugbok.af.se

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoCDBurning"=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1708537768-682003330-725345543-66546\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explore

r]
"NoDriveTypeAutoRun"=145

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2005-05-27 02:06:54 | 10,095,808 |

---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1708537768-682003330-725345543-66546\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2005-05-27 02:06:54 | 10,095,808 |

---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java-konsol -- %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll

[2008-06-10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL

[2003-07-15 00:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}: Menu: Spybot - Search & Destroy Configuration -- %ProgramFiles%\Spybot -

Search & Destroy\SDHelper.dll [2008-09-15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll

[Sun Java-konsol] -> [2008-06-10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL

[Research] -> [2003-07-15 00:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll

[Spybot - Search & Destroy Configuration] -> [2008-09-15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking

Limited)

[HKEY_USERS\S-1-5-21-1708537768-682003330-725345543-66546\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll

[Sun Java-konsol] -> [2008-06-10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL

[Research] -> [2003-07-15 00:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll

[Spybot - Search & Destroy Configuration] -> [2008-09-15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking

Limited)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
afconsult.com\*.directory: * in Den här datorn
afconsult.com\*.im: * in Den här datorn
afconsult.com\*.inside: * in Den här datorn
afconsult.com\*.lonespec: * in Den här datorn
afnrkus1.af.se: * in Lokalt intranät
afnrkws2.af.se: * in Lokalt intranät
afsthfsv1.af.se: * in Lokalt intranät
afsthfsv2.af.se: * in Lokalt intranät
afsthfsv3.af.se: * in Lokalt intranät
afsthfsv4.af.se: * in Lokalt intranät
afsthic1.af.se: * in Lokalt intranät
afsthic2.af.se: * in Lokalt intranät
afsthic3.af.se: * in Lokalt intranät
afsthic4.af.se: * in Lokalt intranät
afsthic5.af.se: * in Lokalt intranät
afsthic6.af.se: * in Lokalt intranät
afsthic7.af.se: * in Lokalt intranät
afsthic8.af.se: * in Lokalt intranät
afsthic9.af.se: * in Lokalt intranät
afsthks1.af.se: * in Lokalt intranät
afsthks2.af.se: * in Lokalt intranät
afsthws14.af.se: * in Lokalt intranät
ain.af.se\*.inside: * in Den här datorn
im.af.se: * in Lokalt intranät
inside.af.se: * in Lokalt intranät
kompetensmodul.af.se: * in Lokalt intranät
lonespec.af.se: * in Lokalt intranät
pxwebb.af.se: * in Lokalt intranät
stugbok.af.se: * in Lokalt intranät
47 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
afconsult.com\*.directory: * in Den här datorn
afconsult.com\*.im: * in Den här datorn
afconsult.com\*.inside: * in Den här datorn
afconsult.com\*.lonespec: * in Den här datorn
afnrkus1.af.se: * in Lokalt intranät
afnrkws2.af.se: * in Lokalt intranät
afsthfsv1.af.se: * in Lokalt intranät
afsthfsv2.af.se: * in Lokalt intranät
afsthfsv3.af.se: * in Lokalt intranät
afsthfsv4.af.se: * in Lokalt intranät
afsthic1.af.se: * in Lokalt intranät
afsthic2.af.se: * in Lokalt intranät
afsthic3.af.se: * in Lokalt intranät
afsthic4.af.se: * in Lokalt intranät
afsthic5.af.se: * in Lokalt intranät
afsthic6.af.se: * in Lokalt intranät
afsthic7.af.se: * in Lokalt intranät
afsthic8.af.se: * in Lokalt intranät
afsthic9.af.se: * in Lokalt intranät
afsthks1.af.se: * in Lokalt intranät
afsthks2.af.se: * in Lokalt intranät
afsthws14.af.se: * in Lokalt intranät
ain.af.se\*.inside: * in Den här datorn
im.af.se: * in Lokalt intranät
inside.af.se: * in Lokalt intranät
kompetensmodul.af.se: * in Lokalt intranät
lonespec.af.se: * in Lokalt intranät
pxwebb.af.se: * in Lokalt intranät
stugbok.af.se: * in Lokalt intranät
47 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
afconsult.com\*.directory: * in Den här datorn
afconsult.com\*.im: * in Den här datorn
afconsult.com\*.inside: * in Den här datorn
afconsult.com\*.lonespec: * in Den här datorn
afnrkus1.af.se: * in Lokalt intranät
afnrkws2.af.se: * in Lokalt intranät
afsthfsv1.af.se: * in Lokalt intranät
afsthfsv2.af.se: * in Lokalt intranät
afsthfsv3.af.se: * in Lokalt intranät
afsthfsv4.af.se: * in Lokalt intranät
afsthic1.af.se: * in Lokalt intranät
afsthic2.af.se: * in Lokalt intranät
afsthic3.af.se: * in Lokalt intranät
afsthic4.af.se: * in Lokalt intranät
afsthic5.af.se: * in Lokalt intranät
afsthic6.af.se: * in Lokalt intranät
afsthic7.af.se: * in Lokalt intranät
afsthic8.af.se: * in Lokalt intranät
afsthic9.af.se: * in Lokalt intranät
afsthks1.af.se: * in Lokalt intranät
afsthks2.af.se: * in Lokalt intranät
afsthws14.af.se: * in Lokalt intranät
ain.af.se\*.inside: * in Den här datorn
im.af.se: * in Lokalt intranät
inside.af.se: * in Lokalt intranät
kompetensmodul.af.se: * in Lokalt intranät
lonespec.af.se: * in Lokalt intranät
pxwebb.af.se: * in Lokalt intranät
stugbok.af.se: * in Lokalt intranät
47 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
afconsult.com\*.directory: * in Den här datorn
afconsult.com\*.im: * in Den här datorn
afconsult.com\*.inside: * in Den här datorn
afconsult.com\*.lonespec: * in Den här datorn
afnrkus1.af.se: * in Lokalt intranät
afnrkws2.af.se: * in Lokalt intranät
afsthfsv1.af.se: * in Lokalt intranät
afsthfsv2.af.se: * in Lokalt intranät
afsthfsv3.af.se: * in Lokalt intranät
afsthfsv4.af.se: * in Lokalt intranät
afsthic1.af.se: * in Lokalt intranät
afsthic2.af.se: * in Lokalt intranät
afsthic3.af.se: * in Lokalt intranät
afsthic4.af.se: * in Lokalt intranät
afsthic5.af.se: * in Lokalt intranät
afsthic6.af.se: * in Lokalt intranät
afsthic7.af.se: * in Lokalt intranät
afsthic8.af.se: * in Lokalt intranät
afsthic9.af.se: * in Lokalt intranät
afsthks1.af.se: * in Lokalt intranät
afsthks2.af.se: * in Lokalt intranät
afsthws14.af.se: * in Lokalt intranät
ain.af.se\*.inside: * in Den här datorn
im.af.se: * in Lokalt intranät
inside.af.se: * in Lokalt intranät
kompetensmodul.af.se: * in Lokalt intranät
lonespec.af.se: * in Lokalt intranät
pxwebb.af.se: * in Lokalt intranät
stugbok.af.se: * in Lokalt intranät
47 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-1708537768-682003330-725345543-66546\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\Domains\]
afconsult.com\*.directory: * in Den här datorn
afconsult.com\*.im: * in Den här datorn
afconsult.com\*.inside: * in Den här datorn
afconsult.com\*.lonespec: * in Den här datorn
afnrkus1.af.se: * in Lokalt intranät
afnrkws2.af.se: * in Lokalt intranät
afsthfsv1.af.se: * in Lokalt intranät
afsthfsv2.af.se: * in Lokalt intranät
afsthfsv3.af.se: * in Lokalt intranät
afsthfsv4.af.se: * in Lokalt intranät
afsthic1.af.se: * in Lokalt intranät
afsthic2.af.se: * in Lokalt intranät
afsthic3.af.se: * in Lokalt intranät
afsthic4.af.se: * in Lokalt intranät
afsthic5.af.se: * in Lokalt intranät
afsthic6.af.se: * in Lokalt intranät
afsthic7.af.se: * in Lokalt intranät
afsthic8.af.se: * in Lokalt intranät
afsthic9.af.se: * in Lokalt intranät
afsthks1.af.se: * in Lokalt intranät
afsthks2.af.se: * in Lokalt intranät
afsthws14.af.se: * in Lokalt intranät
ain.af.se\*.inside: * in Den här datorn
im.af.se: * in Lokalt intranät
inside.af.se: * in Lokalt intranät
kompetensmodul.af.se: * in Lokalt intranät
lonespec.af.se: * in Lokalt intranät
pxwebb.af.se: * in Lokalt intranät
stugbok.af.se: * in Lokalt intranät
47 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java

Plug-in 1.6.0_07
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab --

Reg Error: Key does not exist or could not be opened.
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java

Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java

Plug-in 1.6.0_07

========== (O17) DNS Name Servers ==========

{1B38EA0D-316C-49A1-9DB1-CC4AB130D3C6} (Servers: | Description: Intel® PRO/Wireless 3945ABG Network Connection)
{4E885973-8554-42EC-81B5-2070B1414AC4} (Servers: | Description: Broadcom NetXtreme 57xx Gigabit Controller)
{552AF7E5-0755-470E-A7EB-6D4095FE13EB} (Servers: | Description: 1394 Net Adapter)
{EAB70AD5-D783-4AA0-BBAF-390C2B38C8E3} (Servers: | Description: )

========== (O20) AppInit_DLLs ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL assdbw.dll ssbvnl.dll xzacet.dll jwcjqr.dll zsorme.dll

arkcmd.dll ztvmbl.dll paekql.dll
>[2008-06-13 10:11:20 | 00,173,056 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos

Anti-Virus\sophos_detoured.dll
>[2008-10-12 21:04:10 | 00,137,216 | ---- | M] () -- C:\WINDOWS\system32\assdbw.dll
>[2008-10-13 21:06:03 | 00,137,216 | ---- | M] () -- C:\WINDOWS\system32\ssbvnl.dll
>[2008-10-15 09:22:06 | 00,137,216 | ---- | M] () -- C:\WINDOWS\system32\xzacet.dll
>[2008-10-16 13:40:40 | 00,137,216 | ---- | M] () -- C:\WINDOWS\system32\jwcjqr.dll
>[2008-10-17 13:46:37 | 00,137,728 | ---- | M] () -- C:\WINDOWS\system32\zsorme.dll
>[2008-10-18 11:32:34 | 00,132,608 | ---- | M] () -- C:\WINDOWS\system32\arkcmd.dll
>[2008-10-19 14:23:38 | 00,132,608 | ---- | M] () -- C:\WINDOWS\system32\ztvmbl.dll
>[2008-10-20 22:10:31 | 00,132,096 | ---- | M] () -- C:\WINDOWS\system32\paekql.dll

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
ddcAsRhH: "DllName" = ddcAsRhH.dll -- C:\WINDOWS\system32\ddcAsRhH.dll ()
igfxcui: "DllName" = igfxdev.dll -- C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3C3D6A39-B167-4506-A377-E262402A29F5}" (HKLM) -- C:\WINDOWS\system32\ddcAsRhH.dll ()

========== LSA *Authentication Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=msv1_0,C:\WINDOWS\system32\byXqroOe,
>[2008-10-12 21:03:28 | 00,326,016 | ---- | M] () -- C:\WINDOWS\system32\byXqroOe.dll

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2007-05-29 14:58:43 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 90 Days ==========

[2008-10-21 16:48:34 | 00,007,025 | ---- | C] () -- C:\Documents and Settings\A403683\Desktop\kaspersky.html
[2008-10-20 22:17:38 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2008-10-20 22:12:29 | 00,421,888 | ---- | C] (OldTimer Tools) -- C:\Documents and

Settings\A403683\Desktop\OTViewIt.exe
[2008-10-20 22:10:31 | 00,132,096 | ---- | C] () -- C:\WINDOWS\System32\paekql.dll
[2008-10-20 22:10:31 | 00,132,096 | ---- | C] () -- C:\WINDOWS\System32\ddbhkoej.dll
[2008-10-20 22:09:01 | 01,343,270 | -HS- | C] () -- C:\WINDOWS\System32\seawhdlu.ini
[2008-10-20 22:08:57 | 00,075,904 | ---- | C] () -- C:\WINDOWS\System32\uldhwaes.dll
[2008-10-19 14:24:07 | 01,349,306 | -HS- | C] () -- C:\WINDOWS\System32\yxuupdoe.ini
[2008-10-19 14:24:03 | 00,076,416 | ---- | C] () -- C:\WINDOWS\System32\eodpuuxy.dll
[2008-10-19 14:23:39 | 00,132,608 | ---- | C] () -- C:\WINDOWS\System32\ztvmbl.dll
[2008-10-19 14:23:38 | 00,132,608 | ---- | C] () -- C:\WINDOWS\System32\mxkdpuyi.dll
[2008-10-19 00:46:21 | 00,931,197 | ---- | C] () -- C:\Documents and Settings\A403683\Desktop\nitemare.zip
[2008-10-19 00:41:33 | 00,012,796 | ---- | C] () -- C:\Documents and

Settings\A403683\Desktop\The_Neverhood.3441496.TPB.torrent
[2008-10-19 00:15:40 | 00,000,000 | ---D | C] -- C:\Program Files\directx
[2008-10-18 23:34:39 | 00,000,000 | ---D | C] -- C:\Program Files\KONAMI
[2008-10-18 23:22:52 | 00,015,530 | ---- | C] () -- C:\Documents and

Settings\A403683\Desktop\Flight_of_the_Conchords_-_Season_1.3832444.TPB.torrent
[2008-10-18 11:33:28 | 01,349,306 | -HS- | C] () -- C:\WINDOWS\System32\kqkvcpfl.ini
[2008-10-18 11:33:21 | 00,076,416 | ---- | C] () -- C:\WINDOWS\System32\lfpcvkqk.dll
[2008-10-18 11:32:35 | 00,132,608 | ---- | C] () -- C:\WINDOWS\System32\arkcmd.dll
[2008-10-18 11:32:34 | 00,132,608 | ---- | C] () -- C:\WINDOWS\System32\dpgadirt.dll
[2008-10-17 13:46:37 | 00,137,728 | ---- | C] () -- C:\WINDOWS\System32\zsorme.dll
[2008-10-17 13:46:37 | 00,137,728 | ---- | C] () -- C:\WINDOWS\System32\njxtffmo.dll
[2008-10-17 13:43:40 | 01,353,264 | -HS- | C] () -- C:\WINDOWS\System32\qobdhxhc.ini
[2008-10-17 13:43:38 | 00,080,000 | ---- | C] () -- C:\WINDOWS\System32\chxhdboq.dll
[2008-10-16 18:00:14 | 00,028,537 | ---- | C] () -- C:\Documents and

Settings\A403683\Desktop\The_Flaming_Lips_[6_Albums]_[320kbps].4443219.TPB.torrent
[2008-10-16 17:35:53 | 00,020,318 | ---- | C] () -- C:\Documents and

Settings\A403683\Desktop\Scrubs.season.7.tv-rip.swesub-RavenE.4421275.TPB.torrent
[2008-10-16 13:40:48 | 01,353,374 | -HS- | C] () -- C:\WINDOWS\System32\rwuhjppo.ini
[2008-10-16 13:40:44 | 00,080,000 | ---- | C] () -- C:\WINDOWS\System32\oppjhuwr.dll
[2008-10-16 13:40:40 | 00,137,216 | ---- | C] () -- C:\WINDOWS\System32\jwcjqr.dll
[2008-10-16 13:40:40 | 00,137,216 | ---- | C] () -- C:\WINDOWS\System32\dptolwpc.dll
[2008-10-15 09:22:06 | 00,137,216 | ---- | C] () -- C:\WINDOWS\System32\xzacet.dll
[2008-10-15 09:22:05 | 00,137,216 | ---- | C] () -- C:\WINDOWS\System32\yahnfvnb.dll
[2008-10-15 09:19:28 | 01,344,641 | -HS- | C] () -- C:\WINDOWS\System32\oxgccjdx.ini
[2008-10-15 09:19:26 | 00,079,488 | ---- | C] () -- C:\WINDOWS\System32\xdjccgxo.dll
[2008-10-13 21:09:05 | 01,087,555 | -HS- | C] () -- C:\WINDOWS\System32\mutqwnxx.ini
[2008-10-13 21:09:02 | 00,080,000 | ---- | C] () -- C:\WINDOWS\System32\xxnwqtum.dll
[2008-10-13 21:06:03 | 00,137,216 | ---- | C] () -- C:\WINDOWS\System32\ydwexwrb.dll
[2008-10-13 21:06:03 | 00,137,216 | ---- | C] () -- C:\WINDOWS\System32\ssbvnl.dll
[2008-10-13 20:45:28 | 00,000,017 | ---- | C] () -- C:\Documents and Settings\A403683\Desktop\stinger.opt
[2008-10-13 18:57:54 | 02,482,695 | ---- | C] (McAfee Inc.) -- C:\Documents and Settings\A403683\Desktop\stinger.exe
[2008-10-13 15:38:04 | 00,332,938 | ---- | C] () -- C:\Documents and Settings\A403683\Desktop\varför.bmp
[2008-10-12 21:22:40 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2008-10-12 21:06:34 | 01,083,787 | -HS- | C] () -- C:\WINDOWS\System32\grmsphlb.ini
[2008-10-12 21:04:11 | 00,137,216 | ---- | C] () -- C:\WINDOWS\System32\assdbw.dll
[2008-10-12 21:04:10 | 00,137,216 | ---- | C] () -- C:\WINDOWS\System32\dftrhfev.dll
[2008-10-12 21:03:29 | 00,362,562 | -HS- | C] () -- C:\WINDOWS\System32\eOorqXyb.ini2
[2008-10-12 21:03:29 | 00,362,562 | -HS- | C] () -- C:\WINDOWS\System32\eOorqXyb.ini
[2008-10-12 21:03:25 | 00,326,016 | ---- | C] () -- C:\WINDOWS\System32\byXqroOe.dll
[2008-10-12 17:35:03 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\A403683\Desktop\HijackThis.lnk
[2008-10-12 17:35:01 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008-10-12 13:18:21 | 01,083,787 | -HS- | C] () -- C:\WINDOWS\System32\rojsmwgm.ini
[2008-10-12 13:18:21 | 00,080,000 | ---- | C] () -- C:\WINDOWS\System32\mgwmsjor.dll
[2008-10-12 13:15:22 | 00,137,216 | ---- | C] () -- C:\WINDOWS\System32\rbusbo.dll
[2008-10-12 13:15:21 | 00,137,216 | ---- | C] () -- C:\WINDOWS\System32\ynuwxmxc.dll
[2008-10-12 12:09:35 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2008-10-12 12:09:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot -

Search & Destroy
[2008-10-11 19:14:32 | 00,000,793 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Watch.lnk
[2008-10-11 19:14:32 | 00,000,793 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2008-10-11 19:14:24 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2008-10-11 19:14:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2008-10-11 19:11:32 | 15,083,520 | ---- | C] (Safer Networking Limited ) --

C:\Documents and Settings\A403683\Desktop\spybotsd160.exe
[2008-10-11 19:09:53 | 19,153,264 | ---- | C] () -- C:\Documents and Settings\A403683\Desktop\aaw2008.exe
[2008-10-11 13:17:39 | 01,083,787 | -HS- | C] () -- C:\WINDOWS\System32\hgeihjyj.ini
[2008-10-11 13:15:15 | 00,136,704 | ---- | C] () -- C:\WINDOWS\System32\jqgmqggj.dll
[2008-10-11 13:15:15 | 00,136,704 | ---- | C] () -- C:\WINDOWS\System32\idvghy.dll
[2008-10-11 13:14:34 | 00,420,281 | -HS- | C] () -- C:\WINDOWS\System32\pWHQYcfe.ini2
[2008-10-11 12:17:56 | 01,083,787 | -HS- | C] () -- C:\WINDOWS\System32\dldgynnn.ini
[2008-10-11 12:17:56 | 00,080,000 | ---- | C] () -- C:\WINDOWS\System32\nnnygdld.dll
[2008-10-11 12:16:52 | 00,136,704 | ---- | C] () -- C:\WINDOWS\System32\tjyfkx.dll
[2008-10-11 12:16:52 | 00,136,704 | ---- | C] () -- C:\WINDOWS\System32\fgnjkgbu.dll
[2008-10-11 06:04:00 | 01,083,787 | -HS- | C] () -- C:\WINDOWS\System32\xgbuakjq.ini
[2008-10-11 06:01:40 | 00,137,216 | ---- | C] () -- C:\WINDOWS\System32\hgfqgfwi.dll
[2008-10-11 06:01:40 | 00,137,216 | ---- | C] () -- C:\WINDOWS\System32\fxsene.dll
[2008-10-11 06:00:55 | 00,341,874 | -HS- | C] () -- C:\WINDOWS\System32\vxxIQqss.ini2
[2008-10-11 05:30:16 | 00,000,254 | ---- | C] () -- C:\WINDOWS\System32\tdssservers.dat
[2008-10-11 05:29:59 | 00,038,272 | ---- | C] () -- C:\WINDOWS\System32\ssqNHyxv.dll
[2008-10-11 05:29:58 | 00,038,272 | ---- | C] () -- C:\WINDOWS\System32\ddcAsRhH.dll
[2008-10-09 09:28:17 | 00,000,000 | ---D | C] -- C:\Program Files\CDisplay
[2008-10-07 21:11:54 | 00,000,600 | ---- | C] () -- C:\Documents and Settings\A403683\Local Settings\Application

Data\PUTTY.RND
[2008-10-07 21:09:08 | 00,454,656 | ---- | C] (Simon Tatham) -- C:\Documents and Settings\A403683\Desktop\putty.exe
[2008-10-07 21:05:51 | 00,000,600 | ---- | C] () -- C:\Documents and Settings\A403683\Application Data\winscp.rnd
[2008-10-07 21:05:41 | 00,000,000 | ---D | C] -- C:\Program Files\WinSCP
[2008-10-06 20:24:06 | 00,000,000 | ---D | C] -- C:\Program Files\LEd
[2008-10-06 20:08:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\A403683\Local Settings\Application

Data\MiKTeX
[2008-10-06 20:08:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MiKTeX
[2008-10-06 20:00:06 | 00,000,000 | ---D | C] -- C:\Program Files\MiKTeX 2.7
[2008-10-06 19:56:25 | 85,793,032 | ---- | C] () -- C:\Documents and

Settings\A403683\Desktop\basic-miktex-2.7.3164.exe
[2008-09-29 14:16:02 | 00,172,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xwr47437.dll
[2008-09-29 14:16:02 | 00,172,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wr47437.dll
[2008-09-29 14:16:01 | 28,962,712 | ---- | C] () -- C:\WINDOWS\System32\xa5699171.exe
[2008-09-29 14:15:48 | 28,962,712 | ---- | C] () -- C:\WINDOWS\System32\xa5685890.exe
[2008-09-29 13:17:12 | 00,000,251 | ---- | C] () -- C:\WINDOWS\SETUP.INI
[2008-09-29 12:45:25 | 00,000,000 | ---D | C] -- C:\Program Files\DAEMON Tools Toolbar
[2008-09-29 12:45:22 | 00,000,000 | ---D | C] -- C:\Program Files\DAEMON Tools Lite
[2008-09-28 23:11:56 | 00,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2008-09-28 23:11:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\A403683\Application Data\DAEMON Tools
[2008-09-22 21:02:36 | 00,000,000 | ---D | C] -- C:\Program Files\eclipse
[2008-09-14 01:36:44 | 00,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2008-09-14 01:36:08 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2008-09-14 01:36:05 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2008-09-14 01:36:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application

Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2008-09-14 01:33:12 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2008-09-04 17:30:16 | 00,000,668 | ---- | C] () -- C:\Documents and Settings\A403683\Desktop\Genväg till

Downloads.lnk
[2008-09-02 17:45:58 | 00,014,832 | ---- | C] () -- C:\Documents and Settings\A403683\Desktop\Martin.pdf
[2008-09-01 22:24:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\A403683\Application Data\vlc
[2008-09-01 20:43:15 | 00,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2008-08-25 18:26:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\A403683\My Documents\Downloads
[2008-08-25 18:18:18 | 00,000,000 | ---D | C] -- C:\Program Files\uTorrent
[2008-08-25 18:17:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\A403683\Application Data\uTorrent
[2008-08-25 18:17:48 | 00,267,056 | ---- | C] (BitTorrent, Inc.) -- C:\Documents and

Settings\A403683\Desktop\utorrent.exe
[2008-08-23 21:25:22 | 00,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008-08-23 21:25:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\A403683\Local Settings\Application

Data\Mozilla
[2008-08-23 21:25:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\A403683\Application Data\Mozilla
[2008-08-23 21:22:59 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008-08-23 21:22:53 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2008-07-23 18:45:50 | 00,150,016 | ---- | C] () -- C:\Documents and Settings\A403683\Desktop\Ekonomi2002-2008.xls
[2008-07-23 18:45:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\A403683\Application Data\WinRAR
[2008-07-23 18:45:27 | 00,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2008-07-23 18:42:18 | 00,095,117 | ---- | C] () -- C:\Documents and Settings\A403683\Desktop\Skymningens Söner.rar

========== Files - Modified Within 90 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2008-10-21 16:49:39 | 00,362,562 | -HS- | M] () -- C:\WINDOWS\System32\eOorqXyb.ini
[2008-10-21 16:49:05 | 00,362,562 | -HS- | M] () -- C:\WINDOWS\System32\eOorqXyb.ini2
[2008-10-21 16:48:34 | 00,007,025 | ---- | M] () -- C:\Documents and Settings\A403683\Desktop\kaspersky.html
[2008-10-21 10:18:03 | 00,035,328 | ---- | M] () -- C:\Documents and Settings\A403683\Local Settings\Application

Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008-10-21 10:04:16 | 04,096,054 | ---- | M] () -- C:\WINDOWS\BGInfo.bmp
[2008-10-21 10:03:21 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008-10-21 10:02:10 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008-10-21 10:01:40 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008-10-20 23:02:07 | 00,000,576 | ---- | M] () -- C:\Documents and Settings\A403683\My Documents\Mina delade

mappar.lnk
[2008-10-20 22:22:13 | 01,343,270 | -HS- | M] () -- C:\WINDOWS\System32\seawhdlu.ini
[2008-10-20 22:12:30 | 00,421,888 | ---- | M] (OldTimer Tools) -- C:\Documents and

Settings\A403683\Desktop\OTViewIt.exe
[2008-10-20 22:10:31 | 00,132,096 | ---- | M] () -- C:\WINDOWS\System32\paekql.dll
[2008-10-20 22:10:31 | 00,132,096 | ---- | M] () -- C:\WINDOWS\System32\ddbhkoej.dll
[2008-10-20 22:08:57 | 00,075,904 | ---- | M] () -- C:\WINDOWS\System32\uldhwaes.dll
[2008-10-19 14:24:18 | 01,349,306 | -HS- | M] () -- C:\WINDOWS\System32\yxuupdoe.ini
[2008-10-19 14:24:03 | 00,076,416 | ---- | M] () -- C:\WINDOWS\System32\eodpuuxy.dll
[2008-10-19 14:23:38 | 00,132,608 | ---- | M] () -- C:\WINDOWS\System32\ztvmbl.dll
[2008-10-19 14:23:38 | 00,132,608 | ---- | M] () -- C:\WINDOWS\System32\mxkdpuyi.dll
[2008-10-19 00:46:22 | 00,931,197 | ---- | M] () -- C:\Documents and Settings\A403683\Desktop\nitemare.zip
[2008-10-19 00:41:35 | 00,012,796 | ---- | M] () -- C:\Documents and

Settings\A403683\Desktop\The_Neverhood.3441496.TPB.torrent
[2008-10-18 23:22:52 | 00,015,530 | ---- | M] () -- C:\Documents and

Settings\A403683\Desktop\Flight_of_the_Conchords_-_Season_1.3832444.TPB.torrent
[2008-10-18 11:33:41 | 01,349,306 | -HS- | M] () -- C:\WINDOWS\System32\kqkvcpfl.ini
[2008-10-18 11:33:21 | 00,076,416 | ---- | M] () -- C:\WINDOWS\System32\lfpcvkqk.dll
[2008-10-18 11:32:34 | 00,132,608 | ---- | M] () -- C:\WINDOWS\System32\dpgadirt.dll
[2008-10-18 11:32:34 | 00,132,608 | ---- | M] () -- C:\WINDOWS\System32\arkcmd.dll
[2008-10-17 13:46:37 | 00,137,728 | ---- | M] () -- C:\WINDOWS\System32\zsorme.dll
[2008-10-17 13:46:37 | 00,137,728 | ---- | M] () -- C:\WINDOWS\System32\njxtffmo.dll
[2008-10-17 13:43:42 | 01,353,264 | -HS- | M] () -- C:\WINDOWS\System32\qobdhxhc.ini
[2008-10-17 13:43:38 | 00,080,000 | ---- | M] () -- C:\WINDOWS\System32\chxhdboq.dll
[2008-10-16 18:00:14 | 00,028,537 | ---- | M] () -- C:\Documents and

Settings\A403683\Desktop\The_Flaming_Lips_[6_Albums]_[320kbps].4443219.TPB.torrent
[2008-10-16 17:35:54 | 00,020,318 | ---- | M] () -- C:\Documents and

Settings\A403683\Desktop\Scrubs.season.7.tv-rip.swesub-RavenE.4421275.TPB.torrent
[2008-10-16 13:41:01 | 01,353,374 | -HS- | M] () -- C:\WINDOWS\System32\rwuhjppo.ini
[2008-10-16 13:40:44 | 00,080,000 | ---- | M] () -- C:\WINDOWS\System32\oppjhuwr.dll
[2008-10-16 13:40:40 | 00,137,216 | ---- | M] () -- C:\WINDOWS\System32\jwcjqr.dll
[2008-10-16 13:40:40 | 00,137,216 | ---- | M] () -- C:\WINDOWS\System32\dptolwpc.dll
[2008-10-15 09:22:06 | 00,137,216 | ---- | M] () -- C:\WINDOWS\System32\yahnfvnb.dll
[2008-10-15 09:22:06 | 00,137,216 | ---- | M] () -- C:\WINDOWS\System32\xzacet.dll
[2008-10-15 09:19:38 | 01,344,641 | -HS- | M] () -- C:\WINDOWS\System32\oxgccjdx.ini
[2008-10-15 09:19:26 | 00,079,488 | ---- | M] () -- C:\WINDOWS\System32\xdjccgxo.dll
[2008-10-13 21:09:16 | 01,087,555 | -HS- | M] () -- C:\WINDOWS\System32\mutqwnxx.ini
[2008-10-13 21:09:02 | 00,080,000 | ---- | M] () -- C:\WINDOWS\System32\xxnwqtum.dll
[2008-10-13 21:06:03 | 00,137,216 | ---- | M] () -- C:\WINDOWS\System32\ydwexwrb.dll
[2008-10-13 21:06:03 | 00,137,216 | ---- | M] () -- C:\WINDOWS\System32\ssbvnl.dll
[2008-10-13 20:45:28 | 00,000,017 | ---- | M] () -- C:\Documents and Settings\A403683\Desktop\stinger.opt
[2008-10-13 18:58:38 | 02,482,695 | ---- | M] (McAfee Inc.) -- C:\Documents and Settings\A403683\Desktop\stinger.exe
[2008-10-13 16:10:05 | 00,332,938 | ---- | M] () -- C:\Documents and Settings\A403683\Desktop\varför.bmp
[2008-10-12 21:06:37 | 01,083,787 | -HS- | M] () -- C:\WINDOWS\System32\grmsphlb.ini
[2008-10-12 21:04:10 | 00,137,216 | ---- | M] () -- C:\WINDOWS\System32\dftrhfev.dll
[2008-10-12 21:04:10 | 00,137,216 | ---- | M] () -- C:\WINDOWS\System32\assdbw.dll
[2008-10-12 21:03:28 | 00,326,016 | ---- | M] () -- C:\WINDOWS\System32\byXqroOe.dll
[2008-10-12 20:54:17 | 00,420,281 | -HS- | M] () -- C:\WINDOWS\System32\pWHQYcfe.ini2
[2008-10-12 19:45:34 | 00,266,048 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2008-10-12 19:44:41 | 00,266,048 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20081012-194534.backup
[2008-10-12 17:35:03 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\A403683\Desktop\HijackThis.lnk
[2008-10-12 15:53:41 | 00,000,209 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2008-10-12 13:18:27 | 01,083,787 | -HS- | M] () -- C:\WINDOWS\System32\rojsmwgm.ini
[2008-10-12 13:18:21 | 00,080,000 | ---- | M] () -- C:\WINDOWS\System32\mgwmsjor.dll
[2008-10-12 13:17:43 | 01,083,787 | -HS- | M] () -- C:\WINDOWS\System32\hgeihjyj.ini
[2008-10-12 13:15:21 | 00,137,216 | ---- | M] () -- C:\WINDOWS\System32\ynuwxmxc.dll
[2008-10-12 13:15:21 | 00,137,216 | ---- | M] () -- C:\WINDOWS\System32\rbusbo.dll
[2008-10-11 19:14:32 | 00,000,793 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Watch.lnk
[2008-10-11 19:14:32 | 00,000,793 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2008-10-11 19:13:04 | 19,153,264 | ---- | M] () -- C:\Documents and Settings\A403683\Desktop\aaw2008.exe
[2008-10-11 19:12:23 | 15,083,520 | ---- | M] (Safer Networking Limited ) --

C:\Documents and Settings\A403683\Desktop\spybotsd160.exe
[2008-10-11 13:15:15 | 00,136,704 | ---- | M] () -- C:\WINDOWS\System32\jqgmqggj.dll
[2008-10-11 13:15:15 | 00,136,704 | ---- | M] () -- C:\WINDOWS\System32\idvghy.dll
[2008-10-11 13:06:16 | 00,341,874 | -HS- | M] () -- C:\WINDOWS\System32\vxxIQqss.ini2
[2008-10-11 12:18:08 | 01,083,787 | -HS- | M] () -- C:\WINDOWS\System32\dldgynnn.ini
[2008-10-11 12:17:56 | 00,080,000 | ---- | M] () -- C:\WINDOWS\System32\nnnygdld.dll
[2008-10-11 12:16:52 | 00,136,704 | ---- | M] () -- C:\WINDOWS\System32\tjyfkx.dll
[2008-10-11 12:16:52 | 00,136,704 | ---- | M] () -- C:\WINDOWS\System32\fgnjkgbu.dll
[2008-10-11 06:04:03 | 01,083,787 | -HS- | M] () -- C:\WINDOWS\System32\xgbuakjq.ini
[2008-10-11 06:01:40 | 00,137,216 | ---- | M] () -- C:\WINDOWS\System32\hgfqgfwi.dll
[2008-10-11 06:01:40 | 00,137,216 | ---- | M] () -- C:\WINDOWS\System32\fxsene.dll
[2008-10-11 05:30:16 | 00,000,254 | ---- | M] () -- C:\WINDOWS\System32\tdssservers.dat
[2008-10-11 05:29:58 | 00,038,272 | ---- | M] () -- C:\WINDOWS\System32\ssqNHyxv.dll
[2008-10-11 05:29:58 | 00,038,272 | ---- | M] () -- C:\WINDOWS\System32\ddcAsRhH.dll
[2008-10-07 21:43:36 | 00,000,600 | ---- | M] () -- C:\Documents and Settings\A403683\Application Data\winscp.rnd
[2008-10-07 21:25:03 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2008-10-07 21:11:54 | 00,000,600 | ---- | M] () -- C:\Documents and Settings\A403683\Local Settings\Application

Data\PUTTY.RND
[2008-10-07 21:09:09 | 00,454,656 | ---- | M] (Simon Tatham) -- C:\Documents and Settings\A403683\Desktop\putty.exe
[2008-10-06 19:58:51 | 85,793,032 | ---- | M] () -- C:\Documents and

Settings\A403683\Desktop\basic-miktex-2.7.3164.exe
[2008-09-29 14:16:02 | 00,172,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\xwr47437.dll
[2008-09-29 14:16:02 | 00,172,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wr47437.dll
[2008-09-29 14:16:01 | 28,962,712 | ---- | M] () -- C:\WINDOWS\System32\xa5699171.exe
[2008-09-29 14:16:01 | 28,962,712 | ---- | M] () -- C:\WINDOWS\System32\xa5685890.exe
[2008-09-29 13:18:38 | 00,000,439 | ---- | M] () -- C:\WINDOWS\system.ini
[2008-09-29 13:17:12 | 00,000,251 | ---- | M] () -- C:\WINDOWS\SETUP.INI
[2008-09-28 23:11:57 | 00,717,296 | ---- | M] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2008-09-25 07:22:45 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2008-09-07 15:38:18 | 00,000,268 | -H-- | M] () -- C:\sqmdata19.sqm
[2008-09-07 15:38:18 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2008-09-04 17:30:16 | 00,000,668 | ---- | M] () -- C:\Documents and Settings\A403683\Desktop\Genväg till

Downloads.lnk
[2008-09-02 17:45:58 | 00,014,832 | ---- | M] () -- C:\Documents and Settings\A403683\Desktop\Martin.pdf
[2008-08-25 18:17:49 | 00,267,056 | ---- | M] (BitTorrent, Inc.) -- C:\Documents and

Settings\A403683\Desktop\utorrent.exe
[2008-08-23 21:25:22 | 00,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2008-08-23 21:22:59 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008-08-23 16:29:47 | 00,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2008-08-19 08:24:16 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2008-08-19 08:24:16 | 00,000,232 | -H-- | M] () -- C:\sqmdata18.sqm
[2008-08-19 08:23:37 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2008-08-19 08:23:37 | 00,000,232 | -H-- | M] () -- C:\sqmdata17.sqm
[2008-08-19 08:22:10 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2008-08-19 08:22:10 | 00,000,232 | -H-- | M] () -- C:\sqmdata16.sqm
[2008-07-23 18:54:00 | 00,150,016 | ---- | M] () -- C:\Documents and Settings\A403683\Desktop\Ekonomi2002-2008.xls
[2008-07-23 18:54:00 | 00,019,456 | ---- | M] () -- C:\Documents and Settings\A403683\Desktop\Balansräkning-wasp.xls
[2008-07-23 18:42:22 | 00,095,117 | ---- | M] () -- C:\Documents and Settings\A403683\Desktop\Skymningens Söner.rar
< End of report >

Extras.txt:

OTViewIt Extras logfile created on: 2008-10-21 16:49:17 - Run 4
OTViewIt by OldTimer - Version 1.0.17.0 Folder = C:\Documents and Settings\A403683\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 0000041D | Country: Sweden | Language: SVE | Date Format: yyyy-MM-dd

1014,05 Mb Total Physical Memory | 349,79 Mb Available Physical Memory | 34,49% Memory free
2,38 Gb Paging File | 0,48 Gb Available in Paging File | 20,27% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55,80 Gb Total Space | 28,97 Gb Free Space | 51,92% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AFSEGBGPC02028
Current User Name: A403683
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 90 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004-08-04 01:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
File not found -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe:*:Enabled:SR_GUI
File not found -- C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE:*:Enabled:Connection Manager
[2007-01-19 12:55:22 | 05,674,352 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
[2007-01-04 16:10:02 | 00,297,752 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004-08-04 01:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2006-02-19 04:21:22 | 00,288,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe
[2006-02-19 05:24:52 | 00,239,320 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe
[2006-04-21 00:13:30 | 00,231,000 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe
[2006-04-20 21:28:12 | 00,040,960 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe
[2006-04-20 23:43:46 | 00,087,640 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe
[2006-02-17 00:19:34 | 00,192,512 | ---- | M] () -- C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe
[2006-02-16 22:49:52 | 01,085,440 | R--- | M] (Hewlett-Packard) -- C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe
[2006-04-21 00:06:26 | 00,181,848 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe
[2006-02-15 10:37:26 | 00,147,511 | R--- | M] (Hewlett-Packard) -- C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe
[2006-04-21 00:13:00 | 00,456,280 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe
[2006-04-20 23:42:18 | 00,063,064 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe
[2006-02-19 05:29:46 | 00,139,264 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe
[2007-01-19 12:55:22 | 05,674,352 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
[2007-01-04 16:10:02 | 00,297,752 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
File not found -- C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client
File not found -- C:\Program Files\Sony Ericsson\Update Service\Update Service.exe:*:Disabled:Update Service
[2008-10-08 23:30:32 | 00,270,128 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent
[2008-08-29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
[2008-09-10 17:39:54 | 14,228,264 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000001 [Bluetooth Namespace] -- C:\WINDOWS\system32\wshbth.dll (Microsoft Corporation)
NameSpace_Catalog5\Catalog_Entries\000000000005 [mdnsNSP] -- C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003-07-11 04:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007-01-19 12:53:24 | 00,063,344 | ---- | M] (Microsoft Corporation) C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (livecall:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003-07-11 04:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003-07-11 04:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2000-04-19 20:47:36 | 00,520,117 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (ms-itss:{0A9007C0-4076-11D3-8789-0000F8105754} (HKLM) [Microsoft Infotech Storage Protocol for IE 4.0])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007-01-19 12:53:24 | 00,063,344 | ---- | M] (Microsoft Corporation) C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (msnim:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005-06-03 01:36:20 | 07,252,672 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2005-04-25 14:29:56 | 08,071,360 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003-07-15 00:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}"=PDFCreator
"{034759DA-E21A-4795-BFB3-C66D17FAD183}"=Sophos Anti-Virus
"{05C56753-F144-44BC-BA67-83CC5DBF395C}"=F300
"{075473F5-846A-448B-BCB3-104AA1760205}"=Roxio RecordNow Data
"{0A649E72-DB35-4C54-968E-CECAECA7E293}"=OZ776 SCR CardBus V1.1.3.6
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}"=Roxio DLA
"{15C418EB-7675-42be-B2B3-281952DA014D}"=Sophos AutoUpdate
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}"=Google Earth
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}"=HPPhotoSmartExpress
"{23E5032B-56CA-4C19-A72E-B50161DB82CA}"=Previous Versions Client
"{2764CA82-DFB9-4498-AF85-719340BF5305}"=Dell Resource CD
"{2CD6BBA0-17C8-4789-9B9B-B36F7E815F6A}"=DWG TrueView
"{2E55A582-4FFE-4FF2-8D4D-E7D275FF89BD}"=Windows Live Messenger
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}"=Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150120}"=J2SE Runtime Environment 5.0 Update 12
"{3248F0A8-6813-11D6-A77B-00B0D0160050}"=Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}"=Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{41B9E2CF-0B3F-442A-B5B3-592A4A355634}"=iTunes
"{45B8A76B-57EC-4242-B019-066400CD8428}"=BufferChm
"{49672EC2-171B-47B4-8CE7-50D7806360D7}"=Windows Live Sign-in Assistant
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}"=HPProductAssistant
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}"=Windows Genuine Advantage v1.3.0254.0
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}"=Roxio Express Labeler
"{66910000-8B30-4973-A159-6371345AFFA5}"=WebReg
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}"=eSupportQFolder
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}"=PowerDVD 5.7
"{68763C27-235D-4165-A961-FDEA228CE504}"=AiOSoftwareNPI
"{6909F917-5499-482e-9AA1-FAD06A99F231}"=Toolbox
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}"=Apple Software Update
"{6DA9102E-199F-43A0-A36B-6EF48081A658}"=Kontrollpanelen MobileMe
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}"=CustomerResearchQFolder
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{736C803C-DD3B-4015-BC51-AFB9E67B9076}"=Readme
"{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}"=ProductContextNPI
"{8331C3EA-0C91-43AA-A4D4-27221C631139}"=Status
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}"=Bonjour
"{8DC42D05-680B-41B0-8878-6C14D24602DB}"=QuickTime
"{8FB0967B-ED48-4B8C-A165-CF0765CAB987}"=Specops Inventory Client Side Extension (x86)
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{90120000-0020-041D-0000-0000000FF1CE}"=Compatibility Pack för Office 2007-systemet
"{901E040B-6000-11D3-8CFE-0150048383C9}"=Microsoft Office 2003 Finnish User Interface Pack
"{901E040C-6000-11D3-8CFE-0150048383C9}"=Microsoft Office 2003 French User Interface Pack
"{901E0413-6000-11D3-8CFE-0150048383C9}"=Microsoft Office 2003 Dutch User Interface Pack
"{901E041D-6000-11D3-8CFE-0150048383C9}"=Microsoft Office 2003 Swedish User Interface Pack
"{901E0C0A-6000-11D3-8CFE-0150048383C9}"=Microsoft Office 2003 Spanish User Interface Pack
"{901FE46E-970F-445C-9F45-DA29C3DD9BC5}"=DPT 1.4.16
"{996512CF-F35B-48DE-9291-557FA5316967}"=ScannerCopy
"{A36BE275-BD22-406C-8D2D-ED99F9E6C0B4}"=IKEA HomePlanner Kitchen
"{A431D7BF-A409-41AC-8B87-F5A33867AFCE}"=Specops Deploy Client Side Extension
"{AA9768AA-FF0B-4C66-A085-31E934F77841}"=Apple Mobile Device Support
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}"=DeviceManagementQFolder
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}"=Roxio RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A71000000002}"=Adobe Reader 7.1.0
"{B12665F4-4E93-4AB4-B7FC-37053B524629}"=Roxio RecordNow Copy
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}"=HP Software Update
"{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}"=HP Photosmart, Officejet and Deskjet 7.0.A
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}"=SolutionCenter
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}"=AiO_Scan_CDA
"{C9D96682-5A4D-45FA-BA3E-DDCB2B0CB868}"=Safari
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}"=TrayApp
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}"=Ad-Aware
"{E1B80DEE-A795-4258-8445-074C06AE3AB8}"=MarketResearch
"{E5966E4C-0A93-4F59-A981-BD3173D4799F}"=F300_Help
"{EB21A812-671B-4D08-B974-2A347F0D8F70}"=HP Photosmart Essential
"{F157460F-720E-482f-8625-AD7843891E5F}"=InstantShareDevicesMFC
"{F3760724-B29D-465B-BC53-E5D72095BCC4}"=Scan
"{F6076EF9-08E1-442F-B6A2-BFB61B295A14}"=Fax_CDA
"{FB15E224-67C3-491F-9F5C-F257BC418412}"=Destinations
"{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}"=NewCopy_CDA
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}"=HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"{FF11005D-CBC8-45D5-A288-25C7BB304121}"=Sophos Remote Management System
"Adobe Flash Player Plugin"=Adobe Flash Player Plugin
"CDisplay_is1"=CDisplay 1.8
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3"=Conexant HDA D110 MDC V.92 Modem
"DAEMON Tools Toolbar"=DAEMON Tools Toolbar
"HDMI"=Intel® Graphics Media Accelerator Driver
"HijackThis"=HijackThis 2.0.2
"HP Imaging Device Functions"=HP Imaging Device Functions 7.0
"HP Solution Center & Imaging Support Tools"=HP Solution Center 7.0
"HPExtendedCapabilities"=HP Customer Participation Program 7.0
"InstallShield_{0A649E72-DB35-4C54-968E-CECAECA7E293}"=OZ776 SCR CardBus V1.1.3.6
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"MiKTeX 2.7"=MiKTeX 2.7
"Mozilla Firefox (3.0.3)"=Mozilla Firefox (3.0.3)
"Windows Media Format Runtime"=Windows Media Format Runtime
"Windows Media Player"=Windows Media Player 10
"WinRAR archiver"=WinRAR
"winscp3_is1"=WinSCP 4.1.7
"WinZip"=WinZip
"VLC media player"=VideoLAN VLC media player 0.8.6i
"WMCSetup"=Windows Media Connect

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent"=µTorrent

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1708537768-682003330-725345543-66546\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent"=µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2008-10-21 09:46:29 | Computer Name = AFSEGBGPC02028 | Source = Sophos Message Router | ID = 8005
Description = DNS lookup failure trying to resolve the following addresses: AFSESTHAV1,AFSESTHAV1.af.se.%3

Error - 2008-10-21 09:52:06 | Computer Name = AFSEGBGPC02028 | Source = Sophos Message Router | ID = 8005
Description = DNS lookup failure trying to resolve the following addresses: AFSESTHAV1,AFSESTHAV1.af.se.%3

Error - 2008-10-21 10:00:30 | Computer Name = AFSEGBGPC02028 | Source = Sophos Message Router | ID = 8005
Description = DNS lookup failure trying to resolve the following addresses: AFSESTHAV1,AFSESTHAV1.af.se.%3

Error - 2008-10-21 10:06:09 | Computer Name = AFSEGBGPC02028 | Source = Sophos Message Router | ID = 8005
Description = DNS lookup failure trying to resolve the following addresses: AFSESTHAV1,AFSESTHAV1.af.se.%3

Error - 2008-10-21 10:11:49 | Computer Name = AFSEGBGPC02028 | Source = Sophos Message Router | ID = 8005
Description = DNS lookup failure trying to resolve the following addresses: AFSESTHAV1,AFSESTHAV1.af.se.%3

Error - 2008-10-21 10:17:26 | Computer Name = AFSEGBGPC02028 | Source = Sophos Message Router | ID = 8005
Description = DNS lookup failure trying to resolve the following addresses: AFSESTHAV1,AFSESTHAV1.af.se.%3

Error - 2008-10-21 10:25:50 | Computer Name = AFSEGBGPC02028 | Source = Sophos Message Router | ID = 8005
Description = DNS lookup failure trying to resolve the following addresses: AFSESTHAV1,AFSESTHAV1.af.se.%3

Error - 2008-10-21 10:31:29 | Computer Name = AFSEGBGPC02028 | Source = Sophos Message Router | ID = 8005
Description = DNS lookup failure trying to resolve the following addresses: AFSESTHAV1,AFSESTHAV1.af.se.%3

Error - 2008-10-21 10:37:09 | Computer Name = AFSEGBGPC02028 | Source = Sophos Message Router | ID = 8005
Description = DNS lookup failure trying to resolve the following addresses: AFSESTHAV1,AFSESTHAV1.af.se.%3

Error - 2008-10-21 10:42:46 | Computer Name = AFSEGBGPC02028 | Source = Sophos Message Router | ID = 8005
Description = DNS lookup failure trying to resolve the following addresses: AFSESTHAV1,AFSESTHAV1.af.se.%3

[ System Events ]
Error - 2008-10-20 17:52:15 | Computer Name = AFSEGBGPC02028 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 119 minutes. NtpClient has no source of accurate
time.

Error - 2008-10-21 04:02:23 | Computer Name = AFSEGBGPC02028 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain AF due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 2008-10-21 04:02:40 | Computer Name = AFSEGBGPC02028 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 2008-10-21 04:02:41 | Computer Name = AFSEGBGPC02028 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 2008-10-21 04:17:41 | Computer Name = AFSEGBGPC02028 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 30 minutes. NtpClient has no source of accurate
time.

Error - 2008-10-21 04:47:41 | Computer Name = AFSEGBGPC02028 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 59 minutes. NtpClient has no source of accurate
time.

Error - 2008-10-21 05:47:41 | Computer Name = AFSEGBGPC02028 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 119 minutes. NtpClient has no source of accurate
time.

Error - 2008-10-21 08:03:58 | Computer Name = AFSEGBGPC02028 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain AF due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 2008-10-21 08:09:14 | Computer Name = AFSEGBGPC02028 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 239 minutes. NtpClient has no source of accurate
time.

Error - 2008-10-21 10:47:01 | Computer Name = AFSEGBGPC02028 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.


< End of report >

And finally, Kaspersky's Log

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, October 21, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, October 21, 2008 07:37:54
Records in database: 1330410
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
Scan statistics
Files scanned 88578
Threat name 6
Infected objects 131
Suspicious objects 0
Duration of the scan 02:36:51

File name Threat name Threats count
C:\WINDOWS\system32\arkcmd.dll/C:\WINDOWS\system32\arkcmd.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.emg 35
C:\WINDOWS\system32\ztvmbl.dll/C:\WINDOWS\system32\ztvmbl.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.emg 35
C:\WINDOWS\system32\xzacet.dll/C:\WINDOWS\system32\xzacet.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.eku 34
C:\WINDOWS\System32\xzacet.dll/C:\WINDOWS\System32\xzacet.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.eku 3
C:\WINDOWS\System32\arkcmd.dll/C:\WINDOWS\System32\arkcmd.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.emg 3
C:\WINDOWS\System32\ztvmbl.dll/C:\WINDOWS\System32\ztvmbl.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.emg 3
C:\WINDOWS\SYSTEM32\xzacet.dll/C:\WINDOWS\SYSTEM32\xzacet.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.eku 2
C:\WINDOWS\SYSTEM32\arkcmd.dll/C:\WINDOWS\SYSTEM32\arkcmd.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.emg 2
C:\WINDOWS\SYSTEM32\ztvmbl.dll/C:\WINDOWS\SYSTEM32\ztvmbl.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.emg 2
C:\WINDOWS\system32\arkcmd.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.emg 1
C:\WINDOWS\system32\blhpsmrg.dll Infected: Trojan.Win32.Pakes.lam 1
C:\WINDOWS\system32\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows 1
C:\WINDOWS\system32\dpgadirt.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.emg 1
C:\WINDOWS\system32\eodpuuxy.dll Infected: Trojan.Win32.Agent.aidu 1
C:\WINDOWS\system32\lfpcvkqk.dll Infected: Trojan.Win32.Agent.aidu 1
C:\WINDOWS\system32\mgwmsjor.dll Infected: Trojan.Win32.Pakes.lam 1
C:\WINDOWS\system32\mxkdpuyi.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.emg 1
C:\WINDOWS\system32\xdjccgxo.dll Infected: Trojan.Win32.Monder.tee 1
C:\WINDOWS\system32\xzacet.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.eku 1
C:\WINDOWS\system32\yahnfvnb.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.eku 1
C:\WINDOWS\system32\ztvmbl.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.emg 1
The selected area was scanned.

Wall of text strikes you for 4234 hp :thumbsup:

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:38 AM

Posted 21 October 2008 - 04:15 PM

Hello, Tugger.
Woah!

You've got one SERIOUSLY infected machine here :)

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.
  • About 1 in 100 times the computer will not longer be able to boot after running Combofix. This requires experienced hands to restore the system to bootability.
  • There are several malware infections that "target" Combofix. Experienced Helpers are aware of these infections, and take steps to remove them prior to the use of Combofix. If you do not, various things can happen depending on the infection -- from Combofix being unable to run, to the deletion of the folder C:\Windows\System32, requiring a clean install to repair.
  • Combofix makes some rather significant changes to the internals of XP and Vista in order to work. It can therefore be very dangerous!!
  • The real power of Combofix comes not as a general purposed malware remover. It is rather modest in that capacity. Combofix is powerful because it provides to the experienced Helper a convenient and powerful front-end to Scripts. It is because of its scripting strengths, and its unique reporting capabilities, that you see Combofix often recommended. But not because of its abilities as a general malware scanner.
  • Many malware removal experts will not respond to a request for help if they see that Combofix was run by the end-user without supervision. You might find after running Combofix that your system problems are worse, and nobody is willing to help you.
  • There are several general purpose anti-malware utilities where the Author(s) intended the application for general use by end-users without Supervision. Combofix is not one of them, and you would be advised to honor that position taken by its Author.
How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • ComboFix may ask to reboot the machine. If asked, DO NOT REBOOT THE MACHINE YOURSELF!! (Unless you enjoy installing windows :thumbsup: )
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :)
In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Tugger

Tugger
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 21 October 2008 - 05:23 PM

Alright.The log says I don't have Recovery Console, but ComboFix didn't ask me if I wanted to install it. Just in case, you wanted to know.

ComboFix 08-10-19.04 - A403683 2008-10-21 23:39:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.523 [GMT 2:00]
Running from: C:\Documents and Settings\A403683\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\system32\arkcmd.dll
C:\WINDOWS\system32\assdbw.dll
C:\WINDOWS\system32\blhpsmrg.dll
C:\WINDOWS\system32\byXqroOe.dll
C:\WINDOWS\system32\chxhdboq.dll
C:\WINDOWS\system32\ddbhkoej.dll
C:\WINDOWS\system32\ddcAsRhH.dll
C:\WINDOWS\system32\dftrhfev.dll
C:\WINDOWS\system32\dldgynnn.ini
C:\WINDOWS\system32\dpgadirt.dll
C:\WINDOWS\system32\dptolwpc.dll
C:\WINDOWS\system32\eodpuuxy.dll
C:\WINDOWS\system32\eOorqXyb.ini
C:\WINDOWS\system32\eOorqXyb.ini2
C:\WINDOWS\system32\fgnjkgbu.dll
C:\WINDOWS\system32\fxsene.dll
C:\WINDOWS\system32\grmsphlb.ini
C:\WINDOWS\system32\hgeihjyj.ini
C:\WINDOWS\system32\hgfqgfwi.dll
C:\WINDOWS\system32\idvghy.dll
C:\WINDOWS\system32\jqgmqggj.dll
C:\WINDOWS\system32\jwcjqr.dll
C:\WINDOWS\system32\kqkvcpfl.ini
C:\WINDOWS\system32\lfpcvkqk.dll
C:\WINDOWS\system32\meiewkgg.dll
C:\WINDOWS\system32\mgwmsjor.dll
C:\WINDOWS\system32\mutqwnxx.ini
C:\WINDOWS\system32\mxkdpuyi.dll
C:\WINDOWS\system32\njxtffmo.dll
C:\WINDOWS\system32\nnnygdld.dll
C:\WINDOWS\system32\oppjhuwr.dll
C:\WINDOWS\system32\oxgccjdx.ini
C:\WINDOWS\system32\paekql.dll
C:\WINDOWS\system32\pWHQYcfe.ini2
C:\WINDOWS\system32\qobdhxhc.ini
C:\WINDOWS\system32\rbusbo.dll
C:\WINDOWS\system32\rojsmwgm.ini
C:\WINDOWS\system32\rwuhjppo.ini
C:\WINDOWS\system32\seawhdlu.ini
C:\WINDOWS\system32\slqgzp.dll
C:\WINDOWS\system32\srrxvoey.dll
C:\WINDOWS\system32\ssbvnl.dll
C:\WINDOWS\system32\ssqNHyxv.dll
C:\WINDOWS\system32\TDSSerrors.log
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\system32\tjyfkx.dll
C:\WINDOWS\system32\uldhwaes.dll
C:\WINDOWS\system32\vxxIQqss.ini2
C:\WINDOWS\system32\xdjccgxo.dll
C:\WINDOWS\system32\xgbuakjq.ini
C:\WINDOWS\system32\xxnwqtum.dll
C:\WINDOWS\system32\xzacet.dll
C:\WINDOWS\system32\yahnfvnb.dll
C:\WINDOWS\system32\ydwexwrb.dll
C:\WINDOWS\system32\yeovxrrs.ini
C:\WINDOWS\system32\ynuwxmxc.dll
C:\WINDOWS\system32\yxuupdoe.ini
C:\WINDOWS\system32\zsorme.dll
C:\WINDOWS\system32\ztvmbl.dll

.
((((((((((((((((((((((((( Files Created from 2008-09-21 to 2008-10-21 )))))))))))))))))))))))))))))))
.

2008-10-21 23:08 . 2008-10-21 23:15 <DIR> d-------- C:\INDYDESK
2008-10-21 23:08 . 1994-08-24 01:00 188,960 --a------ C:\WINDOWS\system\WINGDE.DLL
2008-10-21 23:08 . 1994-09-21 01:00 92,208 --a------ C:\WINDOWS\system\WING.DLL
2008-10-21 23:08 . 1994-02-18 17:47 26,112 --a------ C:\WINDOWS\system\WAVEMIX.DLL
2008-10-21 23:08 . 1994-09-21 01:00 12,800 --a------ C:\WINDOWS\system\WING32.DLL
2008-10-21 23:08 . 1994-09-21 01:00 6,736 --a------ C:\WINDOWS\system\WINGDIB.DRV
2008-10-21 23:08 . 1994-09-21 01:00 5,024 --a------ C:\WINDOWS\system\WINGPAL.WND
2008-10-21 23:08 . 1996-02-27 18:54 2,552 --a------ C:\WINDOWS\WAVEMIX.INI
2008-10-21 23:08 . 1994-06-20 01:00 1,966 --a------ C:\WINDOWS\system\DVA.386
2008-10-20 22:17 . 2008-10-20 22:17 <DIR> d--h----- C:\WINDOWS\PIF
2008-10-19 00:15 . 2008-10-19 00:15 <DIR> d-------- C:\Program Files\directx
2008-10-18 23:34 . 2008-10-18 23:34 <DIR> d-------- C:\Program Files\KONAMI
2008-10-12 21:22 . 2008-10-12 21:22 <DIR> d-------- C:\VundoFix Backups
2008-10-12 17:35 . 2008-10-12 17:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-12 12:09 . 2008-10-12 12:14 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-12 12:09 . 2008-10-12 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-11 19:14 . 2008-10-11 19:14 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-11 19:14 . 2008-10-11 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-09 09:28 . 2008-10-09 09:28 <DIR> d-------- C:\Program Files\CDisplay
2008-10-07 21:05 . 2008-10-07 21:05 <DIR> d-------- C:\Program Files\WinSCP
2008-10-06 20:24 . 2008-10-06 20:24 <DIR> d-------- C:\Program Files\LEd
2008-10-06 20:08 . 2008-10-06 20:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MiKTeX
2008-10-06 20:00 . 2008-10-06 20:06 <DIR> d-------- C:\Program Files\MiKTeX 2.7
2008-09-29 14:16 . 2008-09-29 14:16 28,962,712 --a------ C:\WINDOWS\system32\xa5699171.exe
2008-09-29 14:16 . 2008-09-29 14:16 172,032 --a------ C:\WINDOWS\system32\xwr47437.dll
2008-09-29 14:16 . 2008-09-29 14:16 172,032 --a------ C:\WINDOWS\system32\wr47437.dll
2008-09-29 14:15 . 2008-09-29 14:16 28,962,712 --a------ C:\WINDOWS\system32\xa5685890.exe
2008-09-29 12:45 . 2008-09-29 12:45 <DIR> d-------- C:\Program Files\DAEMON Tools Toolbar
2008-09-29 12:45 . 2008-09-29 12:45 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-09-28 23:11 . 2008-09-28 23:11 <DIR> d-------- C:\Documents and Settings\A403683\Application Data\DAEMON Tools
2008-09-28 23:11 . 2008-09-28 23:11 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-09-22 21:02 . 2008-09-22 21:03 <DIR> d-------- C:\Program Files\eclipse

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-20 21:16 --------- d-----w C:\Documents and Settings\A403683\Application Data\uTorrent
2008-10-20 21:14 --------- d-----w C:\Program Files\Bonjour
2008-10-18 22:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-11 17:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-22 16:18 --------- d-----w C:\Program Files\Java
2008-09-13 23:36 --------- d-----w C:\Program Files\iTunes
2008-09-13 23:36 --------- d-----w C:\Program Files\iPod
2008-09-13 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-13 23:34 --------- d-----w C:\Program Files\QuickTime
2008-09-01 20:24 --------- d-----w C:\Documents and Settings\A403683\Application Data\vlc
2008-09-01 18:43 --------- d-----w C:\Program Files\VideoLAN
2008-08-25 16:18 --------- d-----w C:\Program Files\uTorrent
2008-08-25 16:17 --------- d-----w C:\Program Files\BitComet
2008-08-24 08:18 --------- d-----w C:\Program Files\Apple Software Update
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{344F39DC-EA87-3882-879E-D8B295DEDAE4}]
2008-09-29 14:16 172032 --a------ C:\WINDOWS\system32\xwr47437.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-01-13 135168]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\hkmonitor8\Start Menu\Programs\Startup\
info.cmd [2005-12-13 105]

C:\Documents and Settings\A403683\Start Menu\Programs\Startup\
info.cmd [2005-12-13 105]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [2008-01-03 245760]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Install Pending Files.LNK - C:\Program Files\PTPNDFLS\PTPNDFLS.EXE [2007-06-07 1695744]
WinZip Quick Pick.lnk - C:\Program Files\WINZIP\WZQKPICK.EXE [2007-05-29 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=wsusp.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=SAV6INST.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1708537768-682003330-725345543-66546\Scripts\Logon\0\0]
"Script"=\\af.se\afdfs\Install\GPO\o03\o03.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1708537768-682003330-725345543-66546\Scripts\Logon\1\0]
"Script"=PXODBCInstallations.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1708537768-682003330-725345543-66546\Scripts\Logon\2\0]
"Script"=MallInstallation.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1708537768-682003330-725345543-66546\Scripts\Logon\3\0]
"Script"=\\af.se\netlogon\New\DameWareSettings.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13077:TCP"= 13077:TCP:BitComet 13077 TCP
"13077:UDP"= 13077:UDP:BitComet 13077 UDP

R1 SAVOnAccessControl;SAVOnAccessControl;C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys [2008-01-03 101120]
R1 SAVOnAccessFilter;SAVOnAccessFilter;C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys [2008-01-03 33408]
R2 DPT;DPT Client;C:\WINDOWS\system32\dpt\dptservice.exe [2008-04-08 147456]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);C:\WINDOWS\system32\DRIVERS\s125bus.sys [2007-04-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s125mdfl.sys [2007-04-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s125mdm.sys [2007-04-24 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s125mgmt.sys [2007-04-24 100488]
S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\z530obex.sys [2008-06-13 83344]
.
Contents of the 'Scheduled Tasks' folder

2008-10-21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-01-03 C:\WINDOWS\Tasks\Monday Lunch.job
- C:\Program Files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2008-01-03 08:55]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1913F913-DDEA-4C32-BC76-D115B9222A19} - (no file)
BHO-{39213986-9AA4-448D-83FD-A44379D425DC} - (no file)
BHO-{3DADE00B-F138-40DB-9C91-AF3F16BE5C3A} - (no file)
BHO-{5954EC04-4E11-4223-B7DC-67A4F22873C7} - C:\WINDOWS\system32\byXqroOe.dll
BHO-{73646E25-DA77-49BE-9C2F-D51EDABA82F5} - (no file)
BHO-{7A65DA76-1528-4988-BBD7-20F35AE3A4C7} - (no file)
BHO-{7ADC7466-E244-4C02-9BC8-19A67B3E9D7B} - (no file)
BHO-{AAB1F8EF-BD11-457E-BAA5-8C910ECD7921} - (no file)
BHO-{C88267EF-7DE8-4EE8-8E10-A039CD892F90} - (no file)
HKLM-Run-60b1ca99 - C:\WINDOWS\system32\srrxvoey.dll
Notify-ddcAsRhH - ddcAsRhH.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\A403683\Application Data\Mozilla\Firefox\Profiles\nif9w8r0.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\thriXXX\WebLaunch\Binaries\npWebLaunch.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 23:51:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Sophos Message Router]
"ImagePath"="\"C:\Program Files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\DWRCST.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-10-22 0:00:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-21 22:00:10

Pre-Run: 31 024 447 488 bytes free
Post-Run: 31,040,782,336 bytes free

273

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:38 AM

Posted 21 October 2008 - 06:49 PM

Hello, Tugger.

There was a nasty infection in your system which may have prevented RC installation. Go ahead and run this, CF should ask you again.

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/174210/infected-with-trojvirtum-gen/
    collect::
    C:\WINDOWS\system32\xa5699171.exe
    C:\WINDOWS\system32\xwr47437.dll
    C:\WINDOWS\system32\wr47437.dll
    C:\WINDOWS\system32\xa5685890.exe
    file::
    C:\Documents and Settings\hkmonitor8\Start Menu\Programs\Startup\info.cmd
    C:\Documents and Settings\A403683\Start Menu\Programs\Startup\info.cmd
    registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{344F39DC-EA87-3882-879E-D8B295DEDAE4}]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=-
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 Tugger

Tugger
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 23 October 2008 - 01:34 PM

Alright. Here's the log. Neither this time ComboFix asked me if I wanted to install Recovery Console.
Combofix also wanted me to upload C:\Qoobox\Quarantine\[4]-Submit_2008-10-23@20.10.zip to Bleeping Computer via this page:
file:///C:/QooBox/CF-Submit-Previous.htm
That page has been running for a while, and doesn't seem to work. I have chosen what file I wanted to upload, and pressed the send-button, now the page has been loading for several minutes, and nothing is happening. Is there something wrong?


ComboFix 08-10-23.01 - A403683 2008-10-23 20:12:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.592 [GMT 2:00]
Running from: C:\Documents and Settings\A403683\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\A403683\Desktop\CFScript.txt.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\A403683\Start Menu\Programs\Startup\info.cmd
C:\Documents and Settings\hkmonitor8\Start Menu\Programs\Startup\info.cmd
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\A403683\Start Menu\Programs\Startup\info.cmd
C:\Documents and Settings\hkmonitor8\Start Menu\Programs\Startup\info.cmd
C:\WINDOWS\system32\wr47437.dll
C:\WINDOWS\system32\xa5685890.exe
C:\WINDOWS\system32\xa5699171.exe
C:\WINDOWS\system32\xwr47437.dll

.
((((((((((((((((((((((((( Files Created from 2008-09-23 to 2008-10-23 )))))))))))))))))))))))))))))))
.

2008-10-21 23:08 . 2008-10-21 23:15 <DIR> d-------- C:\INDYDESK
2008-10-21 23:08 . 1994-08-24 01:00 188,960 --a------ C:\WINDOWS\system\WINGDE.DLL
2008-10-21 23:08 . 1994-09-21 01:00 92,208 --a------ C:\WINDOWS\system\WING.DLL
2008-10-21 23:08 . 1994-02-18 17:47 26,112 --a------ C:\WINDOWS\system\WAVEMIX.DLL
2008-10-21 23:08 . 1994-09-21 01:00 12,800 --a------ C:\WINDOWS\system\WING32.DLL
2008-10-21 23:08 . 1994-09-21 01:00 6,736 --a------ C:\WINDOWS\system\WINGDIB.DRV
2008-10-21 23:08 . 1994-09-21 01:00 5,024 --a------ C:\WINDOWS\system\WINGPAL.WND
2008-10-21 23:08 . 1996-02-27 18:54 2,552 --a------ C:\WINDOWS\WAVEMIX.INI
2008-10-21 23:08 . 1994-06-20 01:00 1,966 --a------ C:\WINDOWS\system\DVA.386
2008-10-20 22:17 . 2008-10-20 22:17 <DIR> d--h----- C:\WINDOWS\PIF
2008-10-19 00:15 . 2008-10-19 00:15 <DIR> d-------- C:\Program Files\directx
2008-10-18 23:34 . 2008-10-18 23:34 <DIR> d-------- C:\Program Files\KONAMI
2008-10-12 21:22 . 2008-10-12 21:22 <DIR> d-------- C:\VundoFix Backups
2008-10-12 17:35 . 2008-10-12 17:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-12 12:09 . 2008-10-12 12:14 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-12 12:09 . 2008-10-12 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-11 19:14 . 2008-10-11 19:14 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-11 19:14 . 2008-10-11 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-09 09:28 . 2008-10-09 09:28 <DIR> d-------- C:\Program Files\CDisplay
2008-10-07 21:05 . 2008-10-07 21:05 <DIR> d-------- C:\Program Files\WinSCP
2008-10-06 20:24 . 2008-10-06 20:24 <DIR> d-------- C:\Program Files\LEd
2008-10-06 20:08 . 2008-10-06 20:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MiKTeX
2008-10-06 20:00 . 2008-10-06 20:06 <DIR> d-------- C:\Program Files\MiKTeX 2.7
2008-09-29 12:45 . 2008-09-29 12:45 <DIR> d-------- C:\Program Files\DAEMON Tools Toolbar
2008-09-29 12:45 . 2008-09-29 12:45 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-09-28 23:11 . 2008-09-28 23:11 <DIR> d-------- C:\Documents and Settings\A403683\Application Data\DAEMON Tools
2008-09-28 23:11 . 2008-09-28 23:11 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-20 21:16 --------- d-----w C:\Documents and Settings\A403683\Application Data\uTorrent
2008-10-20 21:14 --------- d-----w C:\Program Files\Bonjour
2008-10-18 22:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-11 17:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-22 19:03 --------- d-----w C:\Program Files\eclipse
2008-09-22 16:18 --------- d-----w C:\Program Files\Java
2008-09-13 23:36 --------- d-----w C:\Program Files\iTunes
2008-09-13 23:36 --------- d-----w C:\Program Files\iPod
2008-09-13 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-13 23:34 --------- d-----w C:\Program Files\QuickTime
2008-09-01 20:24 --------- d-----w C:\Documents and Settings\A403683\Application Data\vlc
2008-09-01 18:43 --------- d-----w C:\Program Files\VideoLAN
2008-08-29 08:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe
2008-08-29 07:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
2008-08-25 16:18 --------- d-----w C:\Program Files\uTorrent
2008-08-25 16:17 --------- d-----w C:\Program Files\BitComet
2008-08-24 08:18 --------- d-----w C:\Program Files\Apple Software Update
.

((((((((((((((((((((((((((((( snapshot@2008-10-21_23.59.41.85 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-23 15:21:26 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_528.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-01-13 135168]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [2008-01-03 245760]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Install Pending Files.LNK - C:\Program Files\PTPNDFLS\PTPNDFLS.EXE [2007-06-07 1695744]
WinZip Quick Pick.lnk - C:\Program Files\WINZIP\WZQKPICK.EXE [2007-05-29 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=wsusp.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=SAV6INST.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1708537768-682003330-725345543-66546\Scripts\Logon\0\0]
"Script"=\\af.se\afdfs\Install\GPO\o03\o03.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1708537768-682003330-725345543-66546\Scripts\Logon\1\0]
"Script"=PXODBCInstallations.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1708537768-682003330-725345543-66546\Scripts\Logon\2\0]
"Script"=MallInstallation.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1708537768-682003330-725345543-66546\Scripts\Logon\3\0]
"Script"=\\af.se\netlogon\New\DameWareSettings.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13077:TCP"= 13077:TCP:BitComet 13077 TCP
"13077:UDP"= 13077:UDP:BitComet 13077 UDP

R1 SAVOnAccessControl;SAVOnAccessControl;C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys [2008-01-03 101120]
R1 SAVOnAccessFilter;SAVOnAccessFilter;C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys [2008-01-03 33408]
R2 DPT;DPT Client;C:\WINDOWS\system32\dpt\dptservice.exe [2008-04-08 147456]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);C:\WINDOWS\system32\DRIVERS\s125bus.sys [2007-04-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s125mdfl.sys [2007-04-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s125mdm.sys [2007-04-24 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s125mgmt.sys [2007-04-24 100488]
S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\z530obex.sys [2008-06-13 83344]
.
Contents of the 'Scheduled Tasks' folder

2008-10-21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-01-03 C:\WINDOWS\Tasks\Monday Lunch.job
- C:\Program Files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2008-01-03 08:55]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-23 20:14:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Sophos Message Router]
"ImagePath"="\"C:\Program Files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
Completion time: 2008-10-23 20:18:07
ComboFix-quarantined-files.txt 2008-10-23 18:17:03
ComboFix2.txt 2008-10-21 22:00:15

Pre-Run: 30,999,949,312 bytes free
Post-Run: 30,866,907,136 bytes free

174

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:38 AM

Posted 23 October 2008 - 08:33 PM

Hello, Tugger.

Alright. Here's the log. Neither this time ComboFix asked me if I wanted to install Recovery Console.
Combofix also wanted me to upload C:\Qoobox\Quarantine\[4]-Submit_2008-10-23@20.10.zip to Bleeping Computer via this page:
file:///C:/QooBox/CF-Submit-Previous.htm
That page has been running for a while, and doesn't seem to work. I have chosen what file I wanted to upload, and pressed the send-button, now the page has been loading for several minutes, and nothing is happening. Is there something wrong?


Yes something's not right there. Just go ahead and close the window.

Other than that, how are things running?

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 10...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows" (OR if you are on a x64 system, "Windows x64")
  • Select your Language: "Multi-Language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs (Or "Uninstall a Program" on Vista) and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe (Or jre-6u10-windows-x64.exe for x64 systems)
  • Follow the on screen instructions to install the latest Java version.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:38 AM

Posted 25 October 2008 - 05:42 PM

Hello, Tugger.
Are you still here?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 Tugger

Tugger
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 25 October 2008 - 06:48 PM

Are you still here?


Yes, Billy, I am still here. Been rather busy, but now I am back.
Everything is running fine over here. Although, when I wanted to unistall the Java Runtime Environment, there where no such thing in my Add or Remove Programs list. All I could find was Java™6 Update 5 and Java™6 Update 7. Shall I remove these programs? Because I don't see any Java Runtime Environment, which is very strange I guess?

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:38 AM

Posted 25 October 2008 - 08:38 PM

Are you still here?


Yes, Billy, I am still here. Been rather busy, but now I am back.
Everything is running fine over here. Although, when I wanted to unistall the Java Runtime Environment, there where no such thing in my Add or Remove Programs list. All I could find was Java™6 Update 5 and Java™6 Update 7. Shall I remove these programs? Because I don't see any Java Runtime Environment, which is very strange I guess?

Yes, you should remove both programs and install Update 10 :thumbsup: What you're seeing in Add/Remove is normal :) Sometimes only Java is there, sometimes Java Runtime Environment is spelled out :)

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 Tugger

Tugger
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 26 October 2008 - 01:24 PM

Here you go Billy.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3556 (20081026)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=9590b3b774294645ad7a353dfcd991aa
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-10-26 06:23:52
# local_time=2008-10-26 07:23:52 (+0100, W. Europe Standard Time)
# country="Sweden"
# osver=5.1.2600 NT Service Pack 2
# scanned=1055469
# found=7
# scan_time=7345
C:\Qoobox\Quarantine\[4]-Submit_2008-10-23@20.10.zip Win32/BHO.NHM trojan (deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-Submit_2008-10-23@20.10.zip »ZIP »wr47437.dll Win32/BHO.NHM trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-Submit_2008-10-23@20.10.zip »ZIP »xwr47437.dll Win32/BHO.NHM trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\nnnygdld.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\xdjccgxo.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\xzacet.dll.vir Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\yahnfvnb.dll.vir Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:38 AM

Posted 26 October 2008 - 09:50 PM

Hello, Tugger.
Congratulations! You now appear clean! :thumbsup:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Reset System Restore
Windows' "System Restore" feature can cause malware files to be cached and retained by your system. Resetting System Restore will clean these files from your system, and will allow you to use System Restore without fear of reinfection.
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Note: You should only do this once, not on a regular basis!
You will not be able to restore computer to any earlier than today!

Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:38 AM

Posted 28 October 2008 - 03:37 PM

Hello, Tugger.
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users