Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recent infection from trojan.vundo and malware.trace


  • This topic is locked This topic is locked
18 replies to this topic

#1 bingbong

bingbong

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 PM

Posted 26 October 2008 - 04:27 PM

Hi everyone, it has been suggested to me that i post a highjack this log after numerous attemps at cleaning up my computer.

I've been hit with quite a few viruses. (trojan vundo malware trace)
After using F-secure online scan i've also removed a couple of other viruses but there appears to be about 25 files that won't scan.

Spydoctor has identitified some files in localsettings\temp\WPDNSE as being of high risk but i have had no luck in deleting them.

I've also noticed that there are two invisible files sitting in my recycle bin that won't delete or show themselves.

Thanks for any help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:18:20, on 27/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {003F7B66-8E81-4C69-A4C0-8B73609283C0} - (no file)
O2 - BHO: (no name) - {50887A3E-98E4-477F-A03A-B7CD6389BB1C} - (no file)
O2 - BHO: (no name) - {6277CEAA-996A-485E-8245-4A31528803C7} - (no file)
O2 - BHO: (no name) - {6BB4BBB4-9506-4E50-A9EE-89BA967121FD} - C:\WINDOWS\system32\jkkICtqn.dll (file missing)
O2 - BHO: (no name) - {7611D02D-AD35-46E4-B41E-438C569B3EFD} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {998DAE3E-7D4F-4952-A71F-467D8FE64407} - (no file)
O2 - BHO: (no name) - {9C7C1C81-E002-43F3-8182-E9B0B6C59F89} - (no file)
O2 - BHO: (no name) - {F849FE04-066B-406C-9B9A-5701BD1C8A39} - (no file)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Symantec Network Driver Update Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec Network Driver Update Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kvali.com/wfplayer/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2646205B-878C-11D1-B07C-0000C040BCDB} (NSIEMisc Class) - file://D:\HD\nskey.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098516934953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201510920343
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...324/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C869CEE0-5236-4137-97B5-3CE6549F88AA}: NameServer = 123.2.6.197 122.148.1.5
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: notdtc.dll lvmrwe.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: mlJBQHAP - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Trollope/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Trollope/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 9471 bytes

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 12 November 2008 - 08:28 AM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and Run OTScanIt
Download OTScanIt2 by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box.
  • Under the Additional Scans bar, click "Extras". Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.
Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


In your next reply include:
-the OTScanIt log (attached)
-the Kaspersky log (pasted directly into your reply)

Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#3 bingbong

bingbong
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 PM

Posted 14 November 2008 - 02:08 AM

Hi PP. Thanks for your help. i was getting ready to format my computer!

here are the logs you requested.
I have recently uninstalled windows media player from my computer and deleted the files kept in the windows media player folder in program files.
I think this is the only change i have made to my computer since the topic began.

Friday, November 14, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, November 13, 2008 19:50:55
Records in database: 1383528


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\

Scan statistics
Files scanned 75818
Threat name 3
Infected objects 5
Suspicious objects 0
Duration of the scan 01:47:37

File name Threat name Threats count
C:\Documents and Settings\Trollope\.housecall6.6\Quarantine\VVSNInst.exe.bac_a02252 Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1

C:\System Volume Information\_restore{ABD46997-354A-4D50-907D-FD569FD71BC8}\RP8\A0002591.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

C:\System Volume Information\_restore{ABD46997-354A-4D50-907D-FD569FD71BC8}\RP8\A0002604.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

C:\System Volume Information\_restore{ABD46997-354A-4D50-907D-FD569FD71BC8}\RP8\A0002618.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

C:\System Volume Information\_restore{ABD46997-354A-4D50-907D-FD569FD71BC8}\RP12\A0003212.exe Infected: not-a-virus:Downloader.Win32.SpyNoMore.a 1

The selected area was scanned.
Attached File  OTScanIt.Txt   201.89KB   28 downloads

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 14 November 2008 - 08:14 AM

Hello.

You were definately infected, but it looks like it was removed.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run.

To disable AVG:
  • Please navigate to the system tray on the bottom right hand corner and look for this Posted Image sign.
  • Right click it-> select Quit Control Center.
  • A warning will pop up, click Yes
Run Fix with OTScanIt
We will run OTScanIt again, but the directions are slightly different. If you have lost your copy of OTScanIt, download it here and extract it like you did last time.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Paste fix here" box.
    [Kill Explorer]
    [Registry - Safe List]
    < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YN -> {003F7B66-8E81-4C69-A4C0-8B73609283C0} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {50887A3E-98E4-477F-A03A-B7CD6389BB1C} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {6277CEAA-996A-485E-8245-4A31528803C7} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {6BB4BBB4-9506-4E50-A9EE-89BA967121FD} [HKLM] -> %SystemRoot%\system32\jkkICtqn.dll [Reg Error: Value  does not exist or could not be read.]
    YN -> {7611D02D-AD35-46E4-B41E-438C569B3EFD} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {998DAE3E-7D4F-4952-A71F-467D8FE64407} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {9C7C1C81-E002-43F3-8182-E9B0B6C59F89} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {F849FE04-066B-406C-9B9A-5701BD1C8A39} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "SiS Tray" -> %SystemRoot%\System32\sistray.EXE [C:\WINDOWS\System32\sistray.EXE]
    < Run [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "msnmsgr" -> %ProgramFiles%\MSN Messenger\msnmsgr.exe ["C:\Program Files\MSN Messenger\msnmsgr.exe" /background]
    YN -> "Symantec Network Driver Update Warning" -> %SystemDrive%\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE [C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE]
    < Run [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "msnmsgr" -> %ProgramFiles%\MSN Messenger\msnmsgr.exe ["C:\Program Files\MSN Messenger\msnmsgr.exe" /background]
    YN -> "Symantec Network Driver Update Warning" -> %SystemDrive%\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE [C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE]
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    *AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
    YN -> notdtc.dll -> 
    YN -> lvmrwe.dll -> 
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    < Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    YN -> mlJBQHAP -> 
    < MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
    YN -> \{cb2a09be-63c1-11da-9072-000f3d300101}\Shell\Auto\command\\"" -> [infrom.exe]
    [Empty Temp Folders]
    [Reboot]
  • Close all windows except OTScanIt.
  • Click it Run Fix button.
When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click OK and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix. Notepad will open with the final results at that time. Post that log back here in your next reply.

Re-enable your protection at this point.

Please post back with:
-the OTScanIt fix log
-a new OTScanIt scan log (default settings)
-a new HijackThis log

What signs of infection do you have right now?

With Regards,
The Panda

#5 bingbong

bingbong
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 PM

Posted 14 November 2008 - 11:47 PM

Hi Panda, after i clicked 'run fix' a window came up saying...

The file or directory \Recycled\Dc170.sd is corrupt and unreadable. Please run the Chkdsk utility.

Then it needed to reboot.

After reboot, i still have those dodgy files in local settings\temp\WPDNSE that won't delete.
Also the recycle bin says there is an item in it that does not appear. When i went to click empty recycle bin it goes....are you sure you want to delete "WINDOWS"
..so i clicked no, not sure what's going on!

...and lastly..on reboot, there are several hidden files sitting on my desktop all of a sudden. most of them are album art..so thumbnails that i have of albums. seems very random.

here is -the OTScanIt fix log

Explorer killed successfully
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{003F7B66-8E81-4C69-A4C0-8B73609283C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{003F7B66-8E81-4C69-A4C0-8B73609283C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{50887A3E-98E4-477F-A03A-B7CD6389BB1C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50887A3E-98E4-477F-A03A-B7CD6389BB1C}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6277CEAA-996A-485E-8245-4A31528803C7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6277CEAA-996A-485E-8245-4A31528803C7}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6BB4BBB4-9506-4E50-A9EE-89BA967121FD}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6BB4BBB4-9506-4E50-A9EE-89BA967121FD}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7611D02D-AD35-46E4-B41E-438C569B3EFD}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7611D02D-AD35-46E4-B41E-438C569B3EFD}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{998DAE3E-7D4F-4952-A71F-467D8FE64407}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{998DAE3E-7D4F-4952-A71F-467D8FE64407}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9C7C1C81-E002-43F3-8182-E9B0B6C59F89}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C7C1C81-E002-43F3-8182-E9B0B6C59F89}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F849FE04-066B-406C-9B9A-5701BD1C8A39}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F849FE04-066B-406C-9B9A-5701BD1C8A39}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SiS Tray deleted successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\msnmsgr deleted successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Symantec Network Driver Update Warning deleted successfully.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\msnmsgr not found.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Symantec Network Driver Update Warning not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:notdtc.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:lvmrwe.dll deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mlJBQHAP\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cb2a09be-63c1-11da-9072-000f3d300101}\Shell\Auto\command\\ deleted successfully.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\hbin scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\└   P scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\a scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\Ď   vk
scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\Category.ID scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\a scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.0.33b fix logfile created on 11152008_152325

Files moved on Reboot...
File C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\hbin not found!
File C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\└   P not found!
File C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\a not found!
File C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\Ď   vk
not found!
File C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\Category.ID not found!
File C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\ not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

- new OTScanIt scan log (default settings)

OTScanIt2 logfile created on: 15/11/2008 3:42:18 PM - Run 2
OTScanIt2 by OldTimer - Version 1.0.0.33b	 Folder = C:\Documents and Settings\Trollope\Desktop\OTScanIt2
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy
 
1.25 Gb Total Physical Memory | 0.91 Gb Available Physical Memory | 72.77% Memory free
1.48 Gb Paging File | 1.18 Gb Available in Paging File | 79.39% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 9.28 Gb Free Space | 24.91% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: HOME
Current User Name: Trollope
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days
 
[Processes - Safe List]
avgwdsvc.exe -> %SystemDrive%\PROGRA~1\AVG\AVG8\avgwdsvc.exe -> [2008/11/02 09:22:38 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.)
nvsvc32.exe -> %SystemRoot%\System32\nvsvc32.exe -> [2002/09/27 15:38:00 | 00,065,536 | ---- | M] (NVIDIA Corporation)
wdfmgr.exe -> %SystemRoot%\system32\wdfmgr.exe -> [2004/09/22 18:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation)
htpatch.exe -> %SystemRoot%\htpatch.exe -> [2002/10/30 17:40:34 | 00,028,672 | ---- | M] ()
itouch.exe -> %ProgramFiles%\Logitech\iTouch\iTouch.exe -> [2002/02/25 01:59:00 | 00,204,800 | ---- | M] (Logitech Inc.					)
cthelper.exe -> %SystemRoot%\system32\CTHELPER.EXE -> [2002/02/08 05:01:24 | 00,040,960 | ---- | M] (Creative Technology Ltd)
em_exec.exe -> %SystemDrive%\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE -> [2002/01/28 09:43:00 | 00,035,328 | ---- | M] (Logitech Inc.					)
rundll32.exe -> %SystemRoot%\system32\RunDll32.exe -> [2004/08/04 17:56:56 | 00,033,280 | ---- | M] (Microsoft Corporation)
dslstat.exe -> %ProgramFiles%\D-Link\DSL-200\dslstat.exe -> [2004/04/30 20:56:30 | 00,356,352 | ---- | M] (GlobespanVirata, Inc.)
dslagent.exe -> %ProgramFiles%\D-Link\DSL-200\dslagent.exe -> [2004/04/30 20:56:30 | 00,016,384 | ---- | M] ()
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe -> [2008/06/10 04:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.)
avgtray.exe -> %SystemDrive%\PROGRA~1\AVG\AVG8\avgtray.exe -> [2008/11/02 09:22:50 | 01,234,712 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgrsx.exe -> %SystemDrive%\PROGRA~1\AVG\AVG8\avgrsx.exe -> [2008/11/02 09:22:50 | 00,287,000 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgemc.exe -> %SystemDrive%\PROGRA~1\AVG\AVG8\avgemc.exe -> [2008/11/02 09:22:50 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.)
wuauclt.exe -> %SystemRoot%\system32\wuauclt.exe -> [2008/07/18 22:10:42 | 00,053,448 | ---- | M] (Microsoft Corporation)
iexplore.exe -> %ProgramFiles%\Internet Explorer\iexplore.exe -> [2008/08/23 16:56:16 | 00,635,848 | -HS- | M] (Microsoft Corporation)
otscanit2.exe -> %UserProfile%\Desktop\OTScanIt2\OTScanIt2.exe -> [2008/11/09 11:18:54 | 00,464,896 | ---- | M] (OldTimer Tools)
 
[Win32 Services - Safe List]
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -> [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation)
(avg8emc) AVG Free8 E-mail Scanner [Win32_Own | Auto | Running] -> %SystemDrive%\PROGRA~1\AVG\AVG8\avgemc.exe -> [2008/11/02 09:22:50 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.)
(avg8wd) AVG Free8 WatchDog [Win32_Own | Auto | Running] -> %SystemDrive%\PROGRA~1\AVG\AVG8\avgwdsvc.exe -> [2008/11/02 09:22:38 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.)
(clr_optimization_v2.0.50727_32) .NET Runtime Optimization Service v2.0.50727_X86 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -> [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation)
(FontCache3.0.0.0) Windows Presentation Foundation Font Cache 3.0.0.0 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -> [2007/10/09 12:58:12 | 00,036,864 | ---- | M] (Microsoft Corporation)
(idsvc) Windows CardSpace [Win32_Shared | Unknown | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -> [2007/10/11 09:55:10 | 00,864,256 | ---- | M] (Microsoft Corporation)
(NBService) NBService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBService.exe -> [2006/11/10 19:18:02 | 00,774,144 | ---- | M] (Nero AG)
(NetTcpPortSharing) Net.Tcp Port Sharing Service [Win32_Shared | Disabled | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -> [2007/10/11 09:55:14 | 00,122,880 | ---- | M] (Microsoft Corporation)
(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Auto | Running] -> %SystemRoot%\System32\nvsvc32.exe -> [2002/09/27 15:38:00 | 00,065,536 | ---- | M] (NVIDIA Corporation)
(ose) Office Source Engine [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Microsoft Shared\Source Engine\OSE.EXE -> [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation)
(sdAuxService) Spyware Doctor Auxiliary Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Spyware Doctor\svcntaux.exe -> [2007/04/19 11:08:00 | 00,708,176 | ---- | M] (PC Tools)
(sdCoreService) Spyware Doctor Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Spyware Doctor\swdsvc.exe -> [2007/04/19 11:08:06 | 01,302,608 | ---- | M] (PC Tools)
(UMWdf) Windows User Mode Driver Framework [Win32_Own | Auto | Running] -> %SystemRoot%\system32\wdfmgr.exe -> [2004/09/22 18:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation)
(usnjsvc) Messenger Sharing Folders USN Journal Reader service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Windows Live\Messenger\usnsvc.exe -> [2007/10/18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation)
(WLSetupSvc) Windows Live Setup Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Windows Live\installer\WLSetupSvc.exe -> [2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation)
 
[Driver Services - Safe List]
(AvgLdx86) AVG Free AVI Loader Driver x86 [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avgldx86.sys -> [2008/11/02 09:23:18 | 00,097,928 | ---- | M] (AVG Technologies CZ, s.r.o.)
(AvgMfx86) AVG Free On-access Scanner Minifilter Driver x86 [File_System | System | Running] -> %SystemRoot%\System32\Drivers\avgmfx86.sys -> [2008/11/02 09:23:10 | 00,026,824 | ---- | M] (AVG Technologies CZ, s.r.o.)
(AvgTdiX) AVG Free8 Network Redirector [Kernel | Auto | Running] -> %SystemRoot%\System32\Drivers\avgtdix.sys -> [2008/11/02 09:23:26 | 00,076,040 | ---- | M] (AVG Technologies CZ, s.r.o.)
(basic2) basic2 [Kernel | On_Demand | Running] -> %SystemRoot%\System32\DRIVERS\basic2.sys -> [2001/08/10 16:33:00 | 00,078,498 | ---- | M] (Conexant Systems)
(cmuda) C-Media WDM Audio Interface [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\cmuda.sys -> [2002/09/30 20:24:58 | 00,417,999 | ---- | M] (C-Media Inc)
(Cnxtdiag) Cnxtdiag [Kernel | Auto | Running] -> %SystemRoot%\System32\DRIVERS\cnxtdiag.sys -> [2001/07/04 17:42:00 | 00,017,776 | ---- | M] (Conexant Systems)
(ctac32k) Creative AC3 Software Decoder [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\drivers\ctac32k.sys -> [2002/03/22 23:08:12 | 00,114,944 | ---- | M] (Creative Technology Ltd)
(ctaud2k) Creative Audio Driver (WDM) [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\ctaud2k.sys -> [2002/03/22 23:09:40 | 00,835,636 | ---- | M] (Creative Technology Ltd)
(ctprxy2k) Creative Proxy Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\drivers\ctprxy2k.sys -> [2002/03/22 23:09:54 | 00,011,068 | ---- | M] (Creative Technology Ltd)
(ctsfm2k) Creative SoundFont Management Device Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\drivers\ctsfm2k.sys -> [2002/03/22 23:10:10 | 00,211,724 | ---- | M] (Creative Technology Ltd)
(emupia) E-mu Plug-in Architecture Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\drivers\emupia2k.sys -> [2002/03/22 23:10:20 | 00,156,604 | ---- | M] (Creative Technology Ltd)
(Fallback) Fallback [Kernel | Auto | Running] -> %SystemRoot%\System32\DRIVERS\fallback.sys -> [2001/07/13 13:52:00 | 00,310,739 | ---- | M] (Conexant Systems)
(Fsks) Fsks [Kernel | Auto | Running] -> %SystemRoot%\System32\DRIVERS\fsksnt.sys -> [2001/06/15 18:37:00 | 00,127,405 | ---- | M] (Conexant Systems)
(gameenum) Game Port Enumerator [Kernel | On_Demand | Running] -> %SystemRoot%\System32\DRIVERS\gameenum.sys -> [2004/08/04 16:08:22 | 00,010,624 | ---- | M] (Microsoft Corporation)
(ha10kx2k) Creative Hardware Abstract Layer Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\ha10kx2k.sys -> [2002/03/22 23:10:58 | 00,991,656 | ---- | M] (Creative Technology Ltd)
(hsf_msft) hsf_msft [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\DRIVERS\HSF_MSFT.sys -> [2001/08/17 13:28:10 | 00,542,879 | ---- | M] (Conexant)
(IKFileFlt) File Filter Driver [File_System | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\ikfileflt.sys -> [2007/04/19 15:18:08 | 00,039,248 | ---- | M] (PCTools Research Pty Ltd.)
(IKFileSec) File Security Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\ikfilesec.sys -> [2007/04/19 15:18:12 | 00,052,304 | ---- | M] (PCTools Research Pty Ltd.)
(IkSysFlt) System Filter Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\iksysflt.sys -> [2007/04/19 15:18:16 | 00,059,984 | ---- | M] (PCTools Research Pty Ltd.)
(IKSysSec) System Security Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\iksyssec.sys -> [2007/04/19 15:18:20 | 00,083,536 | ---- | M] (PCTools Research Pty Ltd.)
(itchfltr) iTouch Keyboard Filter [Kernel | On_Demand | Running] -> %SystemRoot%\System32\DRIVERS\itchfltr.sys -> [2002/09/28 12:47:38 | 00,010,496 | ---- | M] (Logitech Inc.					)
(K56) K56 [Kernel | Auto | Running] -> %SystemRoot%\System32\DRIVERS\k56nt.sys -> [2001/07/23 18:41:00 | 00,427,167 | ---- | M] (Conexant Systems)
(l8042pr2) Logitech PS/2 Mouse Filter Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\DRIVERS\L8042Pr2.sys -> [2002/09/28 12:47:36 | 00,050,994 | ---- | M] (Logitech)
(LHidFlt2) Logitech HID/USB Mouse Filter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\System32\DRIVERS\LHidFlt2.sys -> [2002/09/28 12:47:36 | 00,022,210 | ---- | M] (Logitech)
(LKbdFlt2) Logitech Keyboard Class Filter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\System32\DRIVERS\LKbdFlt2.sys -> [2002/09/28 12:47:36 | 00,005,842 | ---- | M] (Logitech)
(LMouFlt2) Logitech Mouse Class Filter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\System32\DRIVERS\LMouFlt2.sys -> [2002/09/28 12:47:36 | 00,067,698 | ---- | M] (Logitech)
(ms_mpu401) Microsoft MPU-401 MIDI UART Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\msmpu401.sys -> [2001/08/17 14:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation)
(Nbmkmd) Nbmkmd [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\drivers\Nbmkmd.sys -> [2001/03/15 17:08:54 | 00,042,900 | ---- | M] ()
(nm) Network Monitor Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\NMnt.sys -> [2004/08/04 15:59:50 | 00,040,320 | ---- | M] (Microsoft Corporation)
(ntcdrdrv) ntcdrdrv [Kernel | Boot | Running] -> %SystemRoot%\system32\DRIVERS\ntcdrdrv.sys -> [2007/05/16 11:42:02 | 00,013,440 | ---- | M] (NoteBurn Software)
(nv) nv [Kernel | On_Demand | Running] -> %SystemRoot%\System32\DRIVERS\nv4_mini.sys -> [2002/09/27 15:38:00 | 01,104,282 | ---- | M] (NVIDIA Corporation)
(ossrv) Creative OS Services Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\ctoss2k.sys -> [2002/03/22 23:09:52 | 00,195,432 | ---- | M] (Creative Technology Ltd.)
(pavboot) pavboot [File_System | Boot | Running] -> %SystemRoot%\system32\drivers\pavboot.sys -> [2008/06/19 17:24:30 | 00,028,544 | ---- | M] (Panda Security, S.L.)
(PCNat) PC-Nat Miniport [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\pcnat.sys -> [2003/03/26 12:51:52 | 00,030,336 | ---- | M] (JDSoft Inc.)
(Pcouffin) Low level access layer for CD devices [Kernel | On_Demand | Running] -> %SystemRoot%\System32\Drivers\Pcouffin.sys -> [2007/10/01 11:42:06 | 00,035,904 | ---- | M] (VSO Software)
(PfModNT) PfModNT [Kernel | Auto | Stopped] -> %SystemRoot%\System32\PfModNT.SYS -> [1999/12/17 12:00:00 | 00,006,752 | ---- | M] (Creative Technology Ltd.)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\System32\DRIVERS\ptilink.sys -> [2002/08/29 12:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\System32\Drivers\PxHelp20.sys -> [2005/04/25 19:03:00 | 00,020,640 | ---- | M] (Sonic Solutions)
(Rksample) Rksample [Kernel | On_Demand | Running] -> %SystemRoot%\System32\DRIVERS\rksample.sys -> [2001/08/10 16:33:00 | 00,068,006 | ---- | M] (Conexant Systems)
(ROOTMODEM) Microsoft Legacy Modem Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\Drivers\RootMdm.sys -> [2002/08/29 12:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation)
(rtl8139) Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver [Kernel | On_Demand | Running] -> %SystemRoot%\System32\DRIVERS\R8139n51.SYS -> [2002/04/01 09:47:36 | 00,045,312 | ---- | M] (Realtek Semiconductor Corporation)
(SASDIFSV) SASDIFSV [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASDIFSV.SYS -> [2008/09/03 14:07:14 | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
(SASENUM) SASENUM [Kernel | On_Demand | Stopped] -> %ProgramFiles%\SUPERAntiSpyware\SASENUM.SYS -> [2008/09/03 14:07:16 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
(SASKUTIL) SASKUTIL [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASKUTIL.sys -> [2008/09/03 14:07:12 | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\DRIVERS\secdrv.sys -> [2007/11/13 21:25:54 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(SiS315) SiS315 [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\DRIVERS\sisgrp.sys -> [2003/01/23 18:08:00 | 00,257,408 | ---- | M] (Silicon Integrated Systems Corporation)
(sisagp) SiS AGP Filter [Kernel | Boot | Running] -> %SystemRoot%\System32\DRIVERS\SISAGPX.sys -> [2002/10/31 11:58:42 | 00,030,848 | ---- | M] (Silicon Integrated Systems Corporation)
(SoftFax) SoftFax [Kernel | Auto | Running] -> %SystemRoot%\System32\DRIVERS\faxnt.sys -> [2001/06/15 18:36:00 | 00,216,987 | ---- | M] (Conexant Systems)
(SONYPVU1) Sony USB Filter Driver (SONYPVU1) [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\DRIVERS\SONYPVU1.SYS -> [2001/08/17 13:56:16 | 00,007,552 | ---- | M] (Sony Corporation)
(Tones) Tones [Kernel | Auto | Running] -> %SystemRoot%\System32\DRIVERS\tonesnt.sys -> [2001/06/15 18:35:00 | 00,056,639 | ---- | M] (Conexant Systems)
(V124) V124 [Kernel | Auto | Running] -> %SystemRoot%\System32\DRIVERS\v124nt.sys -> [2001/07/23 18:40:00 | 00,534,605 | ---- | M] (Conexant Systems)
(wanusb) D-Link DSL-200 USB ADSL Modem(WAN) [Kernel | On_Demand | Running] -> %SystemRoot%\System32\DRIVERS\gwausb.sys -> [2004/04/30 20:56:16 | 00,150,369 | ---- | M] (GlobespanVirata Inc.)
(winachsf) winachsf [Kernel | On_Demand | Running] -> %SystemRoot%\System32\DRIVERS\HSF_CNXT.sys -> [2001/08/10 16:36:00 | 00,585,152 | ---- | M] (Conexant Systems)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Secondary_Page_URL" ->  -> 
HKEY_LOCAL_MACHINE\: Main\\"Extensions Off Page" -> about:NoAdd-ons -> 
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> C:\windows\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Main\\"Security Risk Page" -> about:SecurityRisk -> 
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home -> 
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\"Default_Search_URL" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\"Page_Transitions" ->  -> 
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://www.google.com -> 
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> -> 
HKEY_USERS\.DEFAULT\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_USERS\.DEFAULT\: Main\\"Start Page" -> http://global.acer.com/ -> 
HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> -> 
HKEY_USERS\S-1-5-18\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_USERS\S-1-5-18\: Main\\"Start Page" -> http://global.acer.com/ -> 
HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> -> 
HKEY_USERS\S-1-5-20\: Main\\"Start Page" -> http://global.acer.com/ -> 
HKEY_USERS\S-1-5-20\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\] > -> -> 
HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm -> 
HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\: Main\\"Page_Transitions" ->  -> 
HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\: Main\\"Start Page" -> http://www.google.com -> 
HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\: "ProxyEnable" -> 0 -> 
< HOSTS File > (686 bytes and 19 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 
127.0.0.1 localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> %ProgramFiles%\AVG\AVG8\avgssie.dll [AVG Safe Search] -> [2008/11/02 09:22:50 | 00,455,960 | ---- | M] (AVG Technologies CZ, s.r.o.)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [SSVHelper Class] -> [2008/06/10 04:27:02 | 00,509,328 | ---- | M] (Sun Microsystems, Inc.)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"AVG8_TRAY" -> %SystemDrive%\PROGRA~1\AVG\AVG8\avgtray.exe [C:\PROGRA~1\AVG\AVG8\avgtray.exe] -> [2008/11/02 09:22:50 | 01,234,712 | ---- | M] (AVG Technologies CZ, s.r.o.)
"Cmaudio" ->  [RunDll32 cmicnfg.cpl,CMICtrlWnd] -> File not found
"DSLAGENTEXE" -> %ProgramFiles%\D-Link\DSL-200\dslagent.exe [C:\Program Files\D-Link\DSL-200\dslagent.exe] -> [2004/04/30 20:56:30 | 00,016,384 | ---- | M] ()
"DSLSTATEXE" -> %ProgramFiles%\D-Link\DSL-200\dslstat.exe [C:\Program Files\D-Link\DSL-200\dslstat.exe icon] -> [2004/04/30 20:56:30 | 00,356,352 | ---- | M] (GlobespanVirata, Inc.)
"EM_EXEC" -> %SystemDrive%\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE [C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE] -> [2002/01/28 09:43:00 | 00,035,328 | ---- | M] (Logitech Inc.					)
"HTpatch" -> %SystemRoot%\htpatch.exe [C:\WINDOWS\htpatch.exe] -> [2002/10/30 17:40:34 | 00,028,672 | ---- | M] ()
"NvCplDaemon" -> %SystemRoot%\System32\NvCpl.DLL [RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup] -> [2002/09/27 15:38:00 | 04,214,784 | ---- | M] (NVIDIA Corporation)
"QuickTime Task" -> %ProgramFiles%\QuickTime\qttask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> [2007/06/29 06:24:52 | 00,286,720 | ---- | M] (Apple Inc.)
"SiS KHooker" -> %SystemRoot%\System32\khooker.exe [C:\WINDOWS\System32\khooker.exe] -> [2001/08/30 22:23:58 | 00,270,595 | ---- | M] (Silicon Integrated Systems Corporation)
"SunJavaUpdateSched" -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe [C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe] -> [2008/06/10 04:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.)
"UpdReg" -> %SystemRoot%\UpdReg.EXE [C:\WINDOWS\UpdReg.EXE] -> [2000/05/11 01:00:00 | 00,090,112 | ---- | M] (Creative Technology Ltd.)
"WINDVDPatch" -> %SystemRoot%\system32\CTHELPER.EXE [CTHELPER.EXE] -> [2002/02/08 05:01:24 | 00,040,960 | ---- | M] (Creative Technology Ltd)
"zBrowser Launcher" -> %ProgramFiles%\Logitech\iTouch\iTouch.exe [C:\Program Files\Logitech\iTouch\iTouch.exe] -> [2002/02/25 01:59:00 | 00,204,800 | ---- | M] (Logitech Inc.					)
< Default User Startup Folder > -> C:\Documents and Settings\Default User\Start Menu\Programs\Startup -> 
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
%AllUsersProfile%\Start Menu\Programs\Startup\Microsoft Office.lnk -> %ProgramFiles%\Microsoft Office\Office10\OSA.EXE -> [2001/02/13 01:01:04 | 00,083,360 | ---- | M] (Microsoft Corporation)
< Trollope Startup Folder > -> C:\Documents and Settings\Trollope\Start Menu\Programs\Startup -> 
< Administrator Startup Folder > -> C:\Documents and Settings\Administrator\Start Menu\Programs\Startup -> 
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< Software Policy Settings [HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005] > -> HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" ->  [0] -> File not found
\\"legalnoticecaption" ->  [] -> File not found
\\"legalnoticetext" ->  [] -> File not found
\\"shutdownwithoutlogon" ->  [1] -> File not found
\\"undockwithoutlogon" ->  [1] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [145] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [149] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005] > -> HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005] > -> HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 
E&xport to Microsoft Excel -> %SystemDrive%\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> [2008/08/04 16:12:50 | 10,354,176 | ---- | M] (Microsoft Corporation)
< Internet Explorer Menu Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\ -> 
E&xport to Microsoft Excel -> %SystemDrive%\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> [2008/08/04 16:12:50 | 10,354,176 | ---- | M] (Microsoft Corporation)
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\ -> 
E&xport to Microsoft Excel -> %SystemDrive%\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> [2008/08/04 16:12:50 | 10,354,176 | ---- | M] (Microsoft Corporation)
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\] > -> HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\Software\Microsoft\Internet Explorer\MenuExt\ -> 
E&xport to Microsoft Excel -> %SystemDrive%\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> [2008/08/04 16:12:50 | 10,354,176 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Menu: Sun Java Console] -> [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{85d1f590-48f4-11d9-9669-0800200c9a66}:Exec [HKLM] -> %SystemRoot%\bdoscandel.exe [Menu: Uninstall BitDefender Online Scanner v8] -> [2006/05/25 01:22:06 | 00,053,248 | ---- | M] ()
{92780B25-18CC-41C8-B9BE-3C9C571A8263}:{FF059E31-CC5A-4E2E-BF3B-96E929D65503} [HKLM] -> %SystemDrive%\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL [Button: Research] -> [2007/04/19 14:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}:Exec [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [Menu: @xpsp3res.dll,-20001] -> [2006/10/10 23:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Button: Messenger] -> [2004/10/14 03:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Menu: Windows Messenger] -> [2004/10/14 03:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> %SystemRoot%\System32\msjava.dll [Web Browser Applet Control] -> [2003/02/28 18:26:26 | 00,947,472 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{85d1f590-48f4-11d9-9669-0800200c9a66}" [HKLM] -> %SystemRoot%\bdoscandel.exe [Uninstall BitDefender Online Scanner v8] -> [2006/05/25 01:22:06 | 00,053,248 | ---- | M] ()
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> %SystemDrive%\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL [Research] -> [2007/04/19 14:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/14 03:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/14 03:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\] > -> HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> %SystemRoot%\System32\msjava.dll [Web Browser Applet Control] -> [2003/02/28 18:26:26 | 00,947,472 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{85d1f590-48f4-11d9-9669-0800200c9a66}" [HKLM] -> %SystemRoot%\bdoscandel.exe [Uninstall BitDefender Online Scanner v8] -> [2006/05/25 01:22:06 | 00,053,248 | ---- | M] ()
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> %SystemDrive%\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL [Research] -> [2007/04/19 14:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
Extension\.spop -> %ProgramFiles%\Internet Explorer\Plugins\NPDocBox.dll [] -> [2001/01/30 13:56:24 | 00,225,280 | ---- | M] (InterTrust Technologies Corporation, Inc.)
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\] > -> HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\] > -> HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-21-782189750-2424629274-2587936551-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{0246ECA8-996F-11D1-BE2F-00A0C9037DFE} [HKLM] -> http://www.kvali.com/wfplayer/tdserver.cab[TDServer Control] -> 
{04E214E5-63AF-4236-83C6-A7ADCBF9BD02} [HKLM] -> http://housecall60.trendmicro.com/housecall/xscan60.cab[HouseCall Control] -> 
{0CCA191D-13A6-4E29-B746-314DEE697D83} [HKLM] -> http://upload.facebook.com/controls/FacebookPhotoUploader5.cab[Facebook Photo Uploader 5] -> 
{1239CC52-59EF-4DFA-8C61-90FFA846DF7E} [HKLM] -> http://www.musicnotes.com/download/mnviewer.cab[Musicnotes Viewer] -> 
{166B1BCA-3F9C-11CF-8075-444553540000} [HKLM] -> http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab[Shockwave ActiveX Control] -> 
{17492023-C23A-453E-A040-C7C580BBF700} [HKLM] -> http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409[Windows Genuine Advantage Validation Tool] -> 
{2646205B-878C-11D1-B07C-0000C040BCDB} [HKLM] -> file://D:\HD\nskey.dll[NSIEMisc Class] -> 
{2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} [HKLM] -> http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab[ActiveScan 2.0 Installer Class] -> 
{41F17733-B041-4099-A042-B518BB6A408C} [HKLM] -> http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe[Reg Error: Key does not exist or could not be opened.] -> 
{556DDE35-E955-11D0-A707-000000521957} [HKLM] -> http://www.xblock.com/download/xclean_micro.exe[Reg Error: Key does not exist or could not be opened.] -> 
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} [HKLM] -> http://download.bitdefender.com/resources/scan8/oscan8.cab[BDSCANONLINE Control] -> 
{6414512B-B978-451D-A0D8-FCFDF33E833C} [HKLM] -> http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098516934953[WUWebControl Class] -> 
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [HKLM] -> http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201510920343[MUWebControl Class] -> 
{74D05D43-3236-11D4-BDCD-00C04F9A3B61} [HKLM] -> http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[HouseCall Control] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] -> 
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [HKLM] -> http://fpdownload.macromedia.com/get/shockwave/cabs/flash/ultrashim.cab[Reg Error: Value  does not exist or could not be read.] -> 
{A8F2B9BD-A6A0-486A-9744-18920D898429} [HKLM] -> http://www.sibelius.com/download/software/win/ActiveXPlugin.cab[ScorchPlugin Class] -> 
{A90A5822-F108-45AD-8482-9BC8B12DD539} [HKLM] -> http://www.crucial.com/controls/cpcScanner.cab[Crucial cpcScan] -> 
{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} [HKLM] -> http://support.f-secure.com/ols/fscax.cab[F-Secure Online Scanner 3.3] -> 
{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} [HKLM] -> [Java Plug-in 1.5.0_04] -> 
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] -> 
{EF791A6B-FC12-4C68-99EF-FB9E207A39E6} [HKLM] -> http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4324/mcfscan.cab[McFreeScan Class] -> 
DirectAnimation Java Classes [HKLM] -> file://C:\WINDOWS\Java\classes\dajava.cab[Reg Error: Key does not exist or could not be opened.] -> 
Microsoft XML Parser for Java [HKLM] -> file://C:\WINDOWS\Java\classes\xmldso.cab[Reg Error: Key does not exist or could not be opened.] -> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{050C417B-206B-40B0-9B30-40A4595A0415} ->	(1394 Net Adapter) -> 
{7232C297-3E10-48A6-807C-78FF19F4F8A1} ->	(1394 Net Adapter) -> 
{F14F44A7-7D56-4E33-9F13-0F6710BDFCCC} ->	(Realtek RTL8139/810x Family Fast Ethernet NIC) -> 
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs -> 
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls -> 
avgrsstx.dll -> %SystemRoot%\system32\avgrsstx.dll -> [2008/11/02 09:23:26 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.)
*MultiFile Done* -> -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> [2008/07/23 16:28:18 | 00,352,256 | ---- | M] (SUPERAntiSpyware.com)
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> [2008/05/13 10:13:36 | 00,077,824 | ---- | M] (SuperAdBlocker.com)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2006/10/10 23:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2004/08/04 17:56:56 | 00,140,800 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\livecall.exe" -> C:\Program Files\Windows Live\Messenger\livecall.exe [C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)] -> [2007/10/02 17:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" -> C:\Program Files\Windows Live\Messenger\msnmsgr.exe [C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger] -> [2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation)
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2006/10/10 23:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2004/08/04 17:56:56 | 00,140,800 | ---- | M] (Microsoft Corporation)
"C:\Program Files\AVG\AVG8\avgemc.exe" -> C:\Program Files\AVG\AVG8\avgemc.exe [C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe] -> [2008/11/02 09:22:50 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgupd.exe" -> C:\Program Files\AVG\AVG8\avgupd.exe [C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe] -> [2008/11/02 09:22:50 | 00,641,304 | ---- | M] (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Kazaa Lite\clean.kmd" -> C:\Program Files\Kazaa Lite\clean.kmd [C:\Program Files\Kazaa Lite\clean.kmd:*:Enabled:clean] -> [2003/07/16 19:19:52 | 02,234,368 | ---- | M] ()
"C:\Program Files\Kazaa Lite\klrun.exe" -> C:\Program Files\Kazaa Lite\klrun.exe [C:\Program Files\Kazaa Lite\klrun.exe:*:Enabled:Kazaa Lite] -> [2003/06/25 19:52:14 | 00,018,944 | ---- | M] (Rocko)
"C:\Program Files\messenger\msmsgs.exe" -> C:\Program Files\messenger\msmsgs.exe [C:\Program Files\messenger\msmsgs.exe:*:Enabled:Windows Messenger] -> [2004/10/14 03:24:38 | 01,694,208 | -HS- | M] (Microsoft Corporation)
"C:\Program Files\Shareaza\Shareaza.exe" -> C:\Program Files\Shareaza\Shareaza.exe [C:\Program Files\Shareaza\Shareaza.exe:*:Enabled:Shareaza Ultimate File Sharing] -> [2005/10/27 18:44:40 | 03,887,104 | ---- | M] (Shareaza Development Team)
"C:\Program Files\Skype\Phone\Skype.exe" -> C:\Program Files\Skype\Phone\Skype.exe [C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype] -> [2007/02/09 16:00:48 | 25,388,584 | ---- | M] (Skype Technologies S.A.)
"C:\Program Files\Windows Live\Messenger\livecall.exe" -> C:\Program Files\Windows Live\Messenger\livecall.exe [C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)] -> [2007/10/02 17:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" -> C:\Program Files\Windows Live\Messenger\msnmsgr.exe [C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger] -> [2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -> C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger] -> File not found
"C:\Program Files\Yahoo!\Messenger\YServer.exe" -> C:\Program Files\Yahoo!\Messenger\YServer.exe [C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server] -> File not found
"C:\WINDOWS\System32\P2P Networking\P2P Networking.exe" -> C:\WINDOWS\System32\P2P Networking\P2P Networking.exe [C:\WINDOWS\System32\P2P Networking\P2P Networking.exe:*:Enabled:P2P Networking] -> File not found
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
"AlternateShell" -> cmd.exe -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" -> %SystemRoot%\System32\DRIVERS\cdrom.sys [System32\DRIVERS\cdrom.sys] -> [2004/08/04 15:59:52 | 00,049,536 | ---- | M] (Microsoft Corporation)
< Drives with AutoRun files > ->  -> 
C:\AUTOEXEC.BAT [PATH=%PATH%;C:\PROGRA~1\COMMON~1\MUVEET~1\030625 | ] -> %SystemDrive%\AUTOEXEC.BAT [ FAT32 ] -> [2006/10/21 18:44:26 | 00,000,050 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
\{cb2a09be-63c1-11da-9072-000f3d300101}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cb2a09be-63c1-11da-9072-000f3d300101}\Shell\AutoRun
\{cb2a09be-63c1-11da-9072-000f3d300101}\Shell\AutoRun\\"" ->  [Auto&Play] -> File not found
 
 
[Files/Folders - Created Within 30 Days]
_OTScanIt -> %SystemDrive%\_OTScanIt -> [2008/11/15 15:23:25 | 00,000,000 | ---D | C]
kapersky.html -> %UserProfile%\Desktop\kapersky.html -> [2008/11/14 18:06:41 | 00,003,962 | ---- | C] ()
OTScanIt2 -> %UserProfile%\Desktop\OTScanIt2 -> [2008/11/14 15:05:57 | 00,000,000 | ---D | C]
Copy of DSC00947.JPG -> %UserProfile%\Desktop\Copy of DSC00947.JPG -> [2008/11/13 22:45:26 | 02,106,910 | ---- | C] ()
Copy of DSC00946.JPG -> %UserProfile%\Desktop\Copy of DSC00946.JPG -> [2008/11/13 22:44:36 | 01,984,872 | ---- | C] ()
Copy of DSC00944.JPG -> %UserProfile%\Desktop\Copy of DSC00944.JPG -> [2008/11/13 22:44:07 | 02,066,307 | ---- | C] ()
windows media player -> %ProgramFiles%\windows media player -> [2008/11/13 10:18:09 | 00,000,000 | ---D | C]
My Music -> %SystemDrive%\My Music -> [2008/11/09 11:27:33 | 00,000,000 | ---D | C]
nscompat.tlb -> %SystemRoot%\System32\nscompat.tlb -> [2008/11/09 10:40:24 | 00,023,392 | ---- | C] ()
amcompat.tlb -> %SystemRoot%\System32\amcompat.tlb -> [2008/11/09 10:40:24 | 00,016,832 | ---- | C] ()
$AVG8.VAULT$ -> %SystemDrive%\$AVG8.VAULT$ -> [2008/11/06 20:40:14 | 00,000,000 | -H-D | C]
Guitar Freak Workstation.exe -> %UserProfile%\Desktop\Guitar Freak Workstation.exe -> [2008/11/04 12:45:40 | 06,070,784 | ---- | C] (Guitar Freak Workstation with SightReader Master)
29781709-SR -> %SystemRoot%\29781709-SR -> [2008/11/04 12:42:50 | 00,000,000 | -H-- | C] ()
sightreader master2.exe -> %UserProfile%\Desktop\sightreader master2.exe -> [2008/11/04 11:40:48 | 08,519,680 | ---- | C] (Sean Clancy Enterprises)
29781583-GF -> %SystemRoot%\29781583-GF -> [2008/11/02 21:22:56 | 00,000,000 | -H-- | C] ()
Date Cracker 2000 -> %ProgramFiles%\Date Cracker 2000 -> [2008/11/02 21:04:01 | 00,000,000 | ---D | C]
Setup1.exe -> %SystemRoot%\Setup1.exe -> [2008/11/02 21:03:46 | 00,249,856 | ---- | C] (Microsoft Corporation)
w32dasm8.ini -> %SystemRoot%\w32dasm8.ini -> [2008/11/02 10:03:14 | 00,000,226 | ---- | C] ()
W32DASM -> %SystemDrive%\W32DASM -> [2008/11/02 10:02:17 | 00,000,000 | ---D | C]
avgrsstx.dll -> %SystemRoot%\System32\avgrsstx.dll -> [2008/11/02 09:23:25 | 00,010,520 | ---- | C] (AVG Technologies CZ, s.r.o.)
avgtdix.sys -> %SystemRoot%\System32\drivers\avgtdix.sys -> [2008/11/02 09:23:24 | 00,076,040 | ---- | C] (AVG Technologies CZ, s.r.o.)
avgldx86.sys -> %SystemRoot%\System32\drivers\avgldx86.sys -> [2008/11/02 09:23:16 | 00,097,928 | ---- | C] (AVG Technologies CZ, s.r.o.)
avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys -> [2008/11/02 09:23:09 | 00,026,824 | ---- | C] (AVG Technologies CZ, s.r.o.)
incavi.avm -> %SystemRoot%\System32\drivers\Avg\incavi.avm -> [2008/11/02 09:23:01 | 30,112,724 | ---- | C] ()
avi7.avg -> %SystemRoot%\System32\drivers\Avg\avi7.avg -> [2008/11/02 09:23:01 | 06,061,540 | ---- | C] ()
miniavi.avg -> %SystemRoot%\System32\drivers\Avg\miniavi.avg -> [2008/11/02 09:23:01 | 00,334,743 | ---- | C] ()
microavi.avg -> %SystemRoot%\System32\drivers\Avg\microavi.avg -> [2008/11/02 09:23:01 | 00,031,102 | ---- | C] ()
Avg -> %SystemRoot%\System32\drivers\Avg -> [2008/11/02 09:23:01 | 00,000,000 | ---D | C]
AVG -> %ProgramFiles%\AVG -> [2008/11/02 09:22:34 | 00,000,000 | ---D | C]
avg8 -> %AllUsersProfile%\Application Data\avg8 -> [2008/11/02 09:22:28 | 00,000,000 | ---D | C]
w32demo8.ini -> %SystemRoot%\w32demo8.ini -> [2008/11/02 09:19:06 | 00,000,170 | ---- | C] ()
New Folder -> %UserProfile%\Desktop\New Folder -> [2008/11/02 08:57:56 | 00,000,000 | ---D | C]
fsaua.data -> %SystemDrive%\fsaua.data -> [2008/10/24 07:51:35 | 00,000,000 | ---D | C]
!KillBox -> %SystemDrive%\!KillBox -> [2008/10/19 09:10:08 | 00,000,000 | ---D | C]
DelinvFile -> %AppData%\DelinvFile -> [2008/10/19 08:37:10 | 00,000,000 | ---D | C]
PurgeIE -> %ProgramFiles%\PurgeIE -> [2008/10/19 08:37:02 | 00,000,000 | ---D | C]
pavboot.sys -> %SystemRoot%\System32\drivers\pavboot.sys -> [2008/10/19 07:58:48 | 00,028,544 | ---- | C] (Panda Security, S.L.)
Panda Security -> %ProgramFiles%\Panda Security -> [2008/10/19 07:58:29 | 00,000,000 | ---D | C]
 
[Files/Folders - Modified Within 30 Days]
C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help -> [2003/03/03 09:49:56 | 00,000,000 | ---D | M]
hhcolreg.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\hhcolreg.dat -> [2004/05/02 18:05:54 | 00,001,310 | ---- | M] ()
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader -> [2003/03/04 05:35:46 | 00,000,000 | ---D | M]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [2008/11/13 23:07:00 | 00,004,232 | ---- | M] ()
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [2008/11/13 23:07:00 | 00,005,484 | ---- | M] ()
C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data\ -> C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data -> [2003/06/19 18:36:54 | 00,000,000 | ---D | M]
data.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data\data.dat -> [2004/05/09 17:07:42 | 00,001,908 | ---- | M] ()
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data\opa11.dat -> [2005/05/07 14:07:24 | 00,008,206 | ---- | M] ()
Symantec NetDetect.job -> %SystemRoot%\tasks\Symantec NetDetect.job -> [2008/11/15 15:41:02 | 00,000,366 | ---- | M] ()
incavi.avm -> %SystemRoot%\System32\drivers\Avg\incavi.avm -> [2008/11/15 15:30:24 | 30,112,724 | ---- | M] ()
microavi.avg -> %SystemRoot%\System32\drivers\Avg\microavi.avg -> [2008/11/15 15:29:46 | 00,031,102 | ---- | M] ()
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [2008/11/15 15:27:48 | 00,001,158 | ---- | M] ()
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [2008/11/15 15:26:32 | 00,000,006 | -H-- | M] ()
bootstat.dat -> %SystemRoot%\bootstat.dat -> [2008/11/15 15:26:26 | 00,002,048 | --S- | M] ()
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [2008/11/14 22:58:32 | 00,000,069 | ---- | M] ()
kapersky.html -> %UserProfile%\Desktop\kapersky.html -> [2008/11/14 18:06:42 | 00,003,962 | ---- | M] ()
Copy of DSC00947.JPG -> %UserProfile%\Desktop\Copy of DSC00947.JPG -> [2008/11/13 22:45:28 | 02,106,910 | ---- | M] ()
Copy of DSC00946.JPG -> %UserProfile%\Desktop\Copy of DSC00946.JPG -> [2008/11/13 22:44:38 | 01,984,872 | ---- | M] ()
Copy of DSC00944.JPG -> %UserProfile%\Desktop\Copy of DSC00944.JPG -> [2008/11/13 22:44:10 | 02,066,307 | ---- | M] ()
imsins.BAK -> %SystemRoot%\imsins.BAK -> [2008/11/13 11:28:56 | 00,001,393 | ---- | M] ()
miniavi.avg -> %SystemRoot%\System32\drivers\Avg\miniavi.avg -> [2008/11/13 10:05:38 | 00,334,743 | ---- | M] ()
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [2008/11/11 13:28:36 | 00,054,156 | -H-- | M] ()
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI -> [2008/11/09 11:00:58 | 00,527,578 | ---- | M] ()
perfh009.dat -> %SystemRoot%\System32\perfh009.dat -> [2008/11/09 11:00:58 | 00,445,870 | ---- | M] ()
perfc009.dat -> %SystemRoot%\System32\perfc009.dat -> [2008/11/09 11:00:58 | 00,072,824 | ---- | M] ()
mapisvc.inf -> %SystemRoot%\System32\mapisvc.inf -> [2008/11/09 11:00:36 | 00,000,057 | ---- | M] ()
WMSysPr9.prx -> %SystemRoot%\WMSysPr9.prx -> [2008/11/09 10:43:22 | 00,316,640 | ---- | M] ()
nscompat.tlb -> %SystemRoot%\System32\nscompat.tlb -> [2008/11/09 10:41:24 | 00,023,392 | ---- | M] ()
amcompat.tlb -> %SystemRoot%\System32\amcompat.tlb -> [2008/11/09 10:41:24 | 00,016,832 | ---- | M] ()
win.ini -> %SystemRoot%\win.ini -> [2008/11/09 10:41:20 | 00,001,051 | ---- | M] ()
w32dasm8.ini -> %SystemRoot%\w32dasm8.ini -> [2008/11/04 13:45:18 | 00,000,226 | ---- | M] ()
netdet.ini -> %SystemRoot%\netdet.ini -> [2008/11/04 12:57:44 | 00,000,124 | ---- | M] ()
29781709-SR -> %SystemRoot%\29781709-SR -> [2008/11/04 12:42:52 | 00,000,000 | -H-- | M] ()
MRT.exe -> %SystemRoot%\System32\MRT.exe -> [2008/11/03 16:10:26 | 17,318,336 | ---- | M] (Microsoft Corporation)
29781583-GF -> %SystemRoot%\29781583-GF -> [2008/11/02 21:22:58 | 00,000,000 | -H-- | M] ()
Setup1.exe -> %SystemRoot%\Setup1.exe -> [2008/11/02 21:03:48 | 00,249,856 | ---- | M] (Microsoft Corporation)
ST6UNST.EXE -> %SystemRoot%\ST6UNST.EXE -> [2008/11/02 21:03:42 | 00,073,216 | ---- | M] (Microsoft Corporation)
w32demo8.ini -> %SystemRoot%\w32demo8.ini -> [2008/11/02 09:38:50 | 00,000,170 | ---- | M] ()
avgtdix.sys -> %SystemRoot%\System32\drivers\avgtdix.sys -> [2008/11/02 09:23:26 | 00,076,040 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgrsstx.dll -> %SystemRoot%\System32\avgrsstx.dll -> [2008/11/02 09:23:26 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgldx86.sys -> %SystemRoot%\System32\drivers\avgldx86.sys -> [2008/11/02 09:23:18 | 00,097,928 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgmfx86.sys -> %SystemRoot%\System32\drivers\avgmfx86.sys -> [2008/11/02 09:23:10 | 00,026,824 | ---- | M] (AVG Technologies CZ, s.r.o.)
avi7.avg -> %SystemRoot%\System32\drivers\Avg\avi7.avg -> [2008/11/02 09:23:02 | 06,061,540 | ---- | M] ()
mrxsmb.sys -> %SystemRoot%\System32\drivers\mrxsmb.sys -> [2008/10/24 22:10:42 | 00,453,632 | ---- | M] (Microsoft Corporation)
mrxsmb.sys -> %SystemRoot%\System32\dllcache\mrxsmb.sys -> [2008/10/24 22:10:42 | 00,453,632 | ---- | M] (Microsoft Corporation)
BBW_INFO.INI -> %SystemRoot%\BBW_INFO.INI -> [2008/10/20 10:30:42 | 00,000,095 | ---- | M] ()
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> [2008/10/16 20:25:46 | 00,038,496 | ---- | M] (Malwarebytes Corporation)
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2008/10/16 20:25:34 | 00,015,504 | ---- | M] (Malwarebytes Corporation)
< End of report >

- new HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:45:56, on 15/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kvali.com/wfplayer/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2646205B-878C-11D1-B07C-0000C040BCDB} (NSIEMisc Class) - file://D:\HD\nskey.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098516934953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201510920343
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...324/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C869CEE0-5236-4137-97B5-3CE6549F88AA}: NameServer = 123.2.6.197 122.148.1.5
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Trollope/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Trollope/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 7963 bytes

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 15 November 2008 - 09:43 AM

Hello.

The recycling bin "WINDOWS" is probably caused by a file inside named WINDOWS. Don't worry as you can't delete WINDOWS just like that.

OTScanIt probably unhide the hidden files. We will reset those when we are done.

Run this fix with OTScanIt and post back the fix log:
[Extra Files]
Purity
[Empty Temp Folders]

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please post back with:
-the OTScanIt fix log
-the F-Secure log
-a new HijackThis log

With Regards,
The Panda

#7 bingbong

bingbong
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 PM

Posted 15 November 2008 - 09:28 PM

While doing the fix i got an exclamation alert saying the same as last time..
The file or directory \Recycled\Dc170.sd is corrupt and unreadable. Please run the Chkdsk utility.

The F-Secure scan picked up vundo virus, but when i clicked automatic cleaning it didn't actually remove it or anything (this has happened before). So i did a custom scan afterwards on WINDOWS\SYSTEM32, where the virus was located and then i manually deleted it. i've posted both scans

OTScanIt log

[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\hbin scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\└   P scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\a scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\Ď   vk
scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\Category.ID scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\a scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.0.33b fix logfile created on 11162008_095655

Files moved on Reboot...
File C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\hbin not found!
File C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\└   P not found!
File C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\a not found!
File C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\Ď   vk
not found!
File C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\Category.ID not found!
File C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\ not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

F-Secure scan logs

Sunday, November 16, 2008 10:11:36 - 12:34:07
Computer name: HOME
Scanning type: Scan system for malware, rootkits
Target: C:\
________________________________________
Result: 1 malware found
Vundo.FBW (virus)
• C:\WINDOWS\SYSTEM32\PXPQNOIP.INI
________________________________________
Statistics
Scanned:
• Files: 53982
• System: 4140
• Not scanned: 26
Actions:
• Disinfected: 0
• Renamed: 0
• Deleted: 0
• None: 1
• Submitted: 0
Files not scanned:
• C:\PAGEFILE.SYS
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{ABD46997-354A-4D50-907D-FD569FD71BC8}(2)\FIFOED(2)\SNAPSHOT(2)\_REGISTRY_MACHINE_SOFTWARE
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{ABD46997-354A-4D50-907D-FD569FD71BC8}(2)\RP967(2)\A0129191.EXE
• C:\DOCUMENTS AND SETTINGS\TROLLOPE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\DRO8RI75\HEADER[1].HTM
• C:\DOCUMENTS AND SETTINGS\TROLLOPE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\DRO8RI75\FIN[1].JPG
• C:\DOCUMENTS AND SETTINGS\TROLLOPE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\DRO8RI75\DNSERROR[1]
• C:\DOCUMENTS AND SETTINGS\TROLLOPE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\DRO8RI75\BULLET[1]
• C:\DOCUMENTS AND SETTINGS\TROLLOPE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\DRO8RI75\FAVCENTER[1]
• C:\DOCUMENTS AND SETTINGS\TROLLOPE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\7IQMB360\HTTPERRORPAGESSCRIPTS[1]
• C:\DOCUMENTS AND SETTINGS\TROLLOPE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\7IQMB360\INFO_48[1]
• C:\DOCUMENTS AND SETTINGS\TROLLOPE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\7IQMB360\DOWN[1]
• C:\DOCUMENTS AND SETTINGS\TROLLOPE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\7IQMB360\TOOLS[1]
• C:\DOCUMENTS AND SETTINGS\TROLLOPE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\CCBI15BQ\ADSADCLIENT31[5].HTM
• C:\DOCUMENTS AND SETTINGS\TROLLOPE\LOCAL SETTINGS\TEMP\WPDNSE\HBIN
• C:\DOCUMENTS AND SETTINGS\TROLLOPE\LOCAL SETTINGS\TEMP\WPDNSE\+���P
• C:\DOCUMENTS AND SETTINGS\TROLLOPE\LOCAL SETTINGS\TEMP\WPDNSE\A
• C:\DOCUMENTS AND SETTINGS\TROLLOPE\LOCAL SETTINGS\TEMP\WPDNSE\Ϡ��VK
• C:\DOCUMENTS AND SETTINGS\TROLLOPE\LOCAL SETTINGS\TEMP\WPDNSE\
• C:\DOCUMENTS AND SETTINGS\TROLLOPE\LOCAL SETTINGS\TEMP\WPDNSE\A
• C:\WINDOWS\SYSTEM32\MSXML6.DLL
• C:\WINDOWS\SYSTEM32\MSXML6.DLL
• C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
• C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
• C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
• C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
• C:\WINDOWS\SYSTEM32\CONFIG\SAM
________________________________________
Options
Scanning engines:
• F-Secure USS: 2.40.0
• F-Secure Hydra: 2.8.8110, 2008-11-15
• F-Secure AVP: 7.0.171, 2008-11-15
• F-Secure Pegasus: 1.20.0, 2008-10-10
• F-Secure Blacklight: 2.4.1093
Scanning options:
• Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
• Use Advanced heuristics

Scanning Report
Sunday, November 16, 2008 13:00:03 - 13:15:03

Computer name: HOME
Scanning type: Scan target for malware
Target: C:\WINDOWS\system32
________________________________________
Result: 1 malware found
Vundo.FBW (virus)
• C:\WINDOWS\SYSTEM32\PXPQNOIP.INI (Deleted)
________________________________________
Statistics
Scanned:
• Files: 4161
• System: 0
• Not scanned: 7
Actions:
• Disinfected: 0
• Renamed: 0
• Deleted: 1
• None: 0
• Submitted: 0
Files not scanned:
• C:\WINDOWS\SYSTEM32\MSXML6.DLL
• C:\WINDOWS\SYSTEM32\MSXML6.DLL
• C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
• C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
• C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
• C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
• C:\WINDOWS\SYSTEM32\CONFIG\SAM
________________________________________
Options
Scanning engines:
• F-Secure USS: 2.40.0
• F-Secure Hydra: 2.8.8110, 2008-11-15
• F-Secure AVP: 7.0.171, 2008-11-15
• F-Secure Pegasus: 1.20.0, 2008-10-10
• F-Secure Blacklight: 2.4.1093
Scanning options:
• Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
• Use Advanced heuristics

HIJACKTHIS.LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:28:04, on 16/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kvali.com/wfplayer/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2646205B-878C-11D1-B07C-0000C040BCDB} (NSIEMisc Class) - file://D:\HD\nskey.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098516934953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201510920343
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...324/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C869CEE0-5236-4137-97B5-3CE6549F88AA}: NameServer = 123.2.6.197 122.148.1.5
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Trollope/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Trollope/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 7968 bytes

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 16 November 2008 - 09:21 AM

Hello.

The Vundo detected was only a leftover. It was not active. The files it can't scan are in use, or system files.

The hidden files you see are Windows files that save the folder settings. We will rehide them when we are done.

Could you try to manually delete those whole folder:
C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE

If you are able to do so, recreate the folder. Otherwise, tell me if you can't.

With Regards,
The Panda

#9 bingbong

bingbong
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 PM

Posted 17 November 2008 - 12:00 AM

No, sadly i can't delete any files in the folder or the folder itself.

When deleting single files in WPDNSE folder i get this...

Cannot delete file: Cannot read from the source file or disk.

When deleting the WPDNSE folder itself i get this...

Cannot delete hbin: Cannot find the specified file.
Make sure you specify the correct path and file name.

Edited by bingbong, 17 November 2008 - 12:03 AM.


#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 17 November 2008 - 11:42 AM

Hello.

I don't think that folder is dangerous. It appears to be related to Windows Portable Device Namespace Extension.

With Regards,
The Panda

#11 bingbong

bingbong
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 PM

Posted 17 November 2008 - 05:27 PM

Hhhmmm...but why does spydoctor say the files are of high risk danger level?
....also strange things happen when i navigate to C:\Documents and Settings\Trollope
first, windows installer pops up and tries to install microsoft project professional 2002 ...and then windows live id tries to get me to sign in several times after i press cancle....(it doesn't look genuine either)
Maybe i'm best to format my computer?

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 17 November 2008 - 05:48 PM

That is strange.

Let's see what is in that folder.

Open OTScanIt. Paste into the Custom Scans:
C:\Documents and Settings\Trollope\* /s
C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\* /s
C:\Documents and Settings\Trollope\Local Settings\Temp\WPDNSE\* /s /u

Attach that log in your next reply.

Could you tell me what infection SpyBot says is in the WPDNSE folder?

With Regards,
The Panda

#13 bingbong

bingbong
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 PM

Posted 18 November 2008 - 07:13 AM

All spydoctor tells me is that the files are hidden and of high level risk, it doesn't actually give me a name or a discription of the infection.

I'm having a lot of trouble with the OT Scan
It keeps freezing when i do the custom scan, so i tried it in safe mode which did work.
I can't seem to paste the log into the message, it keeps freezing!
and i can't attach it because i have used too much space already i think or it's too big?

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 18 November 2008 - 11:51 AM

Hello.

Please upload the log to me here.

Submit File Sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    http://www.bleepingcomputer.com/forums/t/176560/recent-infection-from-trojanvundo-and-malwaretrace/
  • Select the logfile.
  • Under the comments section, say that Panda asked for the submission.
With Regards,
The Panda

#15 bingbong

bingbong
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:34 PM

Posted 18 November 2008 - 04:51 PM

Ok, I've just attached the OTScan Log file.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users