Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan Vundo, Virtuamonde, Popup and Popunders


  • This topic is locked This topic is locked
8 replies to this topic

#1 eko718

eko718

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 31 October 2008 - 07:19 PM

It seems that while downloading some files off of limewire, I downloaded a harmful program which since has caused Popups
and Popunder Ad Internet Explorer windows to frequently appear whether or not I am on Internet Explorer.

I have followed the required steps and it seems that some of the issues have been resolved, but I do know that the trojan vundo
could not be deleted by Bitdefender.

I am concerned that my computer security may be compromised, and that I may have to reinstall Windows which would be a massive headache.

Please help. I am using Windows XP Professional, and my Hijackthis log is as follows:

=======================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:59 PM, on 11/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: {e08fbad3-bba8-c008-0db4-6d372d3d1f5e} - {e5f1d3d2-73d6-4bd0-800c-8abb3dabf80e} - C:\WINDOWS\system32\dditqh.dll
O2 - BHO: (no name) - {F420CB6C-53DE-4E49-8D7D-96D04FC6C6F3} - C:\WINDOWS\system32\qoMFWOhE.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197223370296
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab
O20 - AppInit_DLLs: dditqh.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 11831 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:27 AM

Posted 01 November 2008 - 02:25 AM

Hi,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Also, please uninstall Ewido, because this one is way outdated and is now a part of AVG.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 eko718

eko718
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 01 November 2008 - 03:04 PM

I followed the steps you suggested.... The combofix got interrupted initially when creating a log however and I had to rerun it; I hope that doesn't complicate things. Also, what security risks may I have been exposed to while infected? I am wondering if I need to take other steps to ensure my personal info was not compromised.

Below are the Combofix and Hijack This logs. I greatly appreciate your help.


=====================

ComboFix 08-10-31.02 - EKO 2008-10-31 15:24:08.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1626 [GMT -4:00]
Running from: C:\Documents and Settings\EKO\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\bhrvgtok.ini
C:\WINDOWS\system32\dditqh.dll
C:\WINDOWS\system32\EhOWFMoq.ini
C:\WINDOWS\system32\EhOWFMoq.ini2
C:\WINDOWS\system32\irgqxroe.dll
C:\WINDOWS\system32\MSVolume.dll
C:\WINDOWS\system32\pkcosmaf.dll
C:\WINDOWS\system32\trwhlkxj.ini
C:\WINDOWS\system32\vfmxqv.dll
C:\WINDOWS\system32\vxeglijj.dll
C:\WINDOWS\system32\yfvjrc.dll
C:\WINDOWS\system32\yuemondu.ini

.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-31 )))))))))))))))))))))))))))))))
.

2008-12-01 03:23 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-12-01 03:23 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-12-01 03:23 . 2008-09-08 23:38 88,576 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-12-01 03:23 . 2008-10-01 15:51 87,552 --a------ C:\WINDOWS\system32\VACFix.exe
2008-12-01 03:23 . 2008-10-10 08:58 82,944 --a------ C:\WINDOWS\system32\o4Patch.exe
2008-12-01 03:23 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-12-01 03:23 . 2008-10-10 08:58 82,944 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-12-01 03:23 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-12-01 03:23 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-12-01 03:23 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-12-01 03:23 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-12-01 03:19 . 2008-12-01 03:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-12-01 03:19 . 2008-12-01 03:19 160,792 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-12-01 03:18 . 2008-12-01 03:19 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-12-01 02:02 . 2008-08-25 13:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-12-01 02:02 . 2008-08-25 13:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-12-01 02:02 . 2008-08-25 13:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-12-01 02:02 . 2008-06-02 17:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-12-01 02:01 . 2008-10-31 15:15 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-12-01 02:01 . 2008-12-01 02:01 <DIR> d-------- C:\Documents and Settings\EKO\Application Data\PC Tools
2008-12-01 00:54 . 2008-12-01 03:24 2,272 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-31 01:41 . 2008-10-31 01:56 <DIR> d-------- C:\320f802849197d5f73f114
2008-10-30 23:58 . 2008-11-30 15:37 850 --a------ C:\WINDOWS\system32\ProductTweaks.xml
2008-10-30 23:58 . 2008-10-30 23:58 385 --a------ C:\WINDOWS\system32\user_gensett.xml
2008-10-30 23:18 . 2008-10-30 23:18 <DIR> d-------- C:\WINDOWS\system32\logs
2008-10-30 23:17 . 2008-10-30 23:17 <DIR> d-------- C:\Documents and Settings\EKO\Application Data\BitDefender
2008-10-30 23:17 . 2008-10-30 23:17 <DIR> d-------- C:\Binaries
2008-10-30 23:15 . 2008-10-30 23:17 <DIR> d-------- C:\Program Files\BitDefender
2008-10-30 23:15 . 2008-10-30 23:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-10-30 23:12 . 2008-10-30 23:16 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-10-30 23:10 . 2008-10-30 23:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-30 23:10 . 2008-10-30 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-30 18:54 . 2008-10-30 18:54 <DIR> d--hs---- C:\Documents and Settings\EKO\PrivacIE
2008-10-30 18:35 . 2008-10-30 18:37 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-10-30 18:31 . 2008-10-30 18:31 <DIR> d-------- C:\Program Files\RegistryCleanerPro
2008-10-30 10:57 . 2008-12-01 01:41 <DIR> d-------- C:\Program Files\AdsGone
2008-10-30 10:57 . 2008-10-30 17:23 59 --a------ C:\WINDOWS\WinNetOptimize98ag.cfg
2008-10-30 00:56 . 2008-10-30 00:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-30 00:56 . 2008-10-30 00:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-10-29 17:08 . 2008-10-29 17:08 <DIR> d-------- C:\Documents and Settings\EKO\Application Data\Iomatic
2008-10-29 15:47 . 2008-10-29 15:47 <DIR> d-------- C:\Program Files\Registry Medic 2008
2008-10-29 15:47 . 2008-10-29 15:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Iomatic
2008-10-29 13:04 . 2008-10-29 13:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-28 23:17 . 2008-10-30 10:21 343 --ahs---- C:\WINDOWS\system32\DKmonqru.ini
2008-10-28 23:15 . 2008-10-28 23:15 34,304 --a------ C:\WINDOWS\system32\urqNEUlM.dll
2008-10-28 23:15 . 2008-10-28 23:15 34,304 --a------ C:\WINDOWS\system32\rqRIaAsP.dll
2008-10-28 23:11 . 2008-10-28 23:11 34,304 --a------ C:\WINDOWS\system32\khfGxXrR.dll
2008-10-27 13:36 . 2008-10-31 10:48 54,472 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000005-00000000-00000008-00001102-00000005-00231102}.rfx
2008-10-27 13:36 . 2008-10-31 10:48 54,472 --a------ C:\WINDOWS\system32\BMXState-{00000005-00000000-00000008-00001102-00000005-00231102}.rfx
2008-10-27 13:36 . 2008-10-27 13:36 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-10-27 13:36 . 2008-10-27 13:36 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-10-27 13:36 . 2008-10-31 10:48 788 --a------ C:\WINDOWS\system32\DVCState-{00000005-00000000-00000008-00001102-00000005-00231102}.rfx
2008-10-27 13:31 . 2008-10-27 13:31 <DIR> d-------- C:\Program Files\OpenAL
2008-10-27 12:45 . 2008-10-27 12:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative Labs
2008-10-25 22:08 . 1999-12-12 13:01 44,032 --a------ C:\WINDOWS\system32\CTSVCCDA.EXE
2008-10-25 22:08 . 1999-11-17 13:00 25,088 --a------ C:\WINDOWS\system32\CTSVCCTL.EXE
2008-10-25 21:40 . 2005-08-07 17:58 366,041 -ra------ C:\WINDOWS\system32\SET3D.tmp
2008-10-25 21:40 . 2008-07-15 18:08 347,080 --a------ C:\WINDOWS\system32\drivers\ctdvda2k.sys
2008-10-25 21:40 . 2008-07-11 15:40 321,512 --a------ C:\WINDOWS\system32\ctdlang.dat
2008-10-25 21:40 . 2008-07-11 15:53 181,248 --a------ C:\WINDOWS\system32\ctdvinst.dll
2008-10-25 21:40 . 2005-08-07 18:17 134,656 -ra------ C:\WINDOWS\system32\SET6B.tmp
2008-10-25 21:40 . 2008-07-11 15:53 86,016 --a------ C:\WINDOWS\system32\ctcoinst.dll
2008-10-25 21:40 . 2005-08-07 18:17 81,920 -ra------ C:\WINDOWS\system32\SET69.tmp
2008-10-25 21:40 . 2008-07-11 15:39 49,152 --a------ C:\WINDOWS\system32\ctdproxy.dll
2008-10-25 21:40 . 2008-07-11 15:51 34,816 --a------ C:\WINDOWS\system32\a3d.dll
2008-10-25 21:40 . 2005-02-07 17:45 3,128 --a------ C:\WINDOWS\system32\XFi.bmp
2008-10-25 21:40 . 2005-02-07 17:45 766 --a------ C:\WINDOWS\system32\SBXFi.ico
2008-10-25 21:34 . 2008-10-25 22:01 347 --a------ C:\WINDOWS\CTWave32.INI
2008-10-25 21:31 . 2008-10-25 21:31 29 --a------ C:\WINDOWS\sfbm.INI
2008-10-24 18:23 . 2007-02-26 15:24 94,208 --a------ C:\WINDOWS\system32\cttele32.dll
2008-10-24 18:16 . 2008-07-15 01:08 24,089,151 --a------ C:\WINDOWS\system32\AppSetup.exe
2008-10-24 18:05 . 2008-10-24 18:05 <DIR> d-------- C:\Program Files\Common Files\Creative Labs Shared
2008-10-24 17:45 . 2003-06-12 23:25 7,062 --a------ C:\WINDOWS\system32\audiopid.vxd
2008-10-23 20:14 . 2008-10-23 20:14 <DIR> d-------- C:\NVIDIA
2008-10-23 20:10 . 2008-10-23 20:10 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-10-22 15:11 . 2008-10-22 15:11 <DIR> d-------- C:\Documents and Settings\EKO\Application Data\2K Sports
2008-10-22 14:40 . 2008-11-30 22:41 <DIR> d-------- C:\Program Files\Steam
2008-10-07 13:33 . 2008-10-07 13:33 3,989,504 --a------ C:\WINDOWS\system32\nvdisps.dll
2008-10-07 13:33 . 2008-10-07 13:33 3,764,224 --a------ C:\WINDOWS\system32\nvvitvs.dll
2008-10-07 13:33 . 2008-10-07 13:33 3,444,736 --a------ C:\WINDOWS\system32\nvgames.dll
2008-10-07 13:33 . 2008-10-07 13:33 2,686,976 --a------ C:\WINDOWS\system32\nvwss.dll
2008-10-07 13:33 . 2008-10-07 13:33 1,368,064 --a------ C:\WINDOWS\system32\nvcuda.dll
2008-10-07 13:33 . 2008-10-07 13:33 1,257,472 --a------ C:\WINDOWS\system32\nvmobls.dll
2008-10-07 13:33 . 2008-10-07 13:33 797,216 --a------ C:\WINDOWS\system32\nvcplui.exe
2008-10-07 13:33 . 2008-10-07 13:33 475,136 --a------ C:\WINDOWS\system32\nvapi.dll
2008-10-07 13:33 . 2008-10-07 13:33 420,384 --a------ C:\WINDOWS\system32\nvcpl.cpl
2008-10-07 13:33 . 2008-10-07 13:33 229,376 --a------ C:\WINDOWS\system32\nvmccs.dll
2008-10-07 13:33 . 2008-10-07 13:33 188,416 --a------ C:\WINDOWS\system32\nvmccss.dll
2008-10-07 13:33 . 2008-10-07 13:33 45,056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2008-10-04 20:10 . 2008-10-04 20:11 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-10-04 12:42 . 2008-10-04 12:42 <DIR> d-------- C:\2f0cb8615059a3c15c7b92fa54a47542
2008-09-26 17:03 . 2008-09-26 17:03 <DIR> d-------- C:\Documents and Settings\EKO\Application Data\MailFrontier
2008-09-26 16:11 . 2008-08-21 20:41 1,221,008 --a------ C:\WINDOWS\system32\zpeng25.dll
2008-09-15 21:21 . 2008-09-15 21:21 <DIR> d-------- C:\Program Files\Raptor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 22:28 2,467,328 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-10-31 19:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-31 19:10 470,971,680 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-31 14:48 6,287,288 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-31 14:01 --------- d-----w C:\Program Files\Viewpoint
2008-10-31 04:26 103,944 ----a-w C:\WINDOWS\system32\drivers\bdfndisf.sys
2008-10-30 21:23 58,707 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_10_30_17_21_59_small.dmp.zip
2008-10-29 17:46 --------- d-----w C:\Program Files\Download Manager
2008-10-29 03:10 --------- d-----w C:\Documents and Settings\EKO\Application Data\LimeWire
2008-10-28 14:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-10-27 17:32 --------- d-----w C:\Program Files\Creative
2008-10-27 17:31 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-10-27 17:31 110,592 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-10-27 17:31 --------- d-----w C:\Documents and Settings\EKO\Application Data\Creative
2008-10-27 16:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-27 16:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-10-26 01:40 3,359,744 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-10-26 01:40 2,298,368 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-10-24 00:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-22 14:19 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-10-05 00:25 --------- d-----w C:\Program Files\Yahoo!
2008-10-02 14:07 453,152 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-09-28 01:51 35,513,737 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-09-26 02:01 1,640,448 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-09-19 15:31 --------- d-----w C:\Program Files\GetRight
2008-09-18 13:53 --------- d-----w C:\Program Files\Dearborn
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-08-29 15:22 56,912 ----a-w C:\Documents and Settings\EKO\g2mdlhlpx.exe
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-22 07:08 878,592 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-22 07:08 43,008 ----a-w C:\WINDOWS\system32\licmgr10.dll
2008-08-22 07:07 18,944 ----a-w C:\WINDOWS\system32\corpol.dll
2008-08-22 07:06 72,704 ----a-w C:\WINDOWS\system32\admparse.dll
2008-08-22 07:06 71,680 ----a-w C:\WINDOWS\system32\iesetup.dll
2008-08-22 07:06 434,176 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-08-22 07:05 48,640 ----a-w C:\WINDOWS\system32\PrivacIE.dll
2008-08-22 07:05 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2008-08-22 07:05 35,840 ----a-w C:\WINDOWS\system32\imgutil.dll
2008-08-22 07:04 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2008-08-22 06:57 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2008-08-22 00:41 72,592 ----a-w C:\WINDOWS\zllsputility.exe
2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-08-05 21:55 265,720 ----a-w C:\WINDOWS\system32\msdbg2.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-15 21:23 72,728 ----a-w C:\WINDOWS\system32\CTHWIUT.DLL
2008-07-15 21:23 170,520 ----a-w C:\WINDOWS\system32\CT20XUT.DLL
2008-07-15 21:22 1,323,544 ----a-w C:\WINDOWS\system32\CTEXFIFX.DLL
2008-07-11 19:51 27,648 ----a-w C:\WINDOWS\system32\ac3api.dll
2008-07-11 19:50 45,056 ----a-w C:\WINDOWS\system32\CTxfiSpk.dll
2008-07-11 19:50 35,840 ----a-w C:\WINDOWS\system32\CTxfiBtn.dll
2008-07-11 19:50 3,072 ----a-w C:\WINDOWS\system32\CtxfiRes.dll
2008-07-11 19:50 3,072 ----a-w C:\WINDOWS\CTXFIRES.DLL
2008-07-11 19:50 19,968 ----a-w C:\WINDOWS\system32\Ctxfihlp.exe
2008-07-11 19:46 969,216 ----a-w C:\WINDOWS\system32\CTxfispi.exe
2008-07-11 19:46 43,520 ----a-w C:\WINDOWS\system32\Ctxfireg.exe
2008-07-11 19:46 10,752 ----a-w C:\WINDOWS\system32\Ct20xspi.dll
2008-07-11 19:40 110,080 ----a-w C:\WINDOWS\system32\ctemupia.dll
2008-07-11 19:39 69,120 ----a-w C:\WINDOWS\system32\ctosuser.dll
2008-07-11 19:39 64,512 ----a-w C:\WINDOWS\system32\piaproxy.dll
2008-07-11 19:39 6,144 ----a-w C:\WINDOWS\system32\sfman32.dll
2008-07-11 19:39 46,592 ----a-w C:\WINDOWS\system32\ctasio.dll
2008-07-11 19:39 174,592 ----a-w C:\WINDOWS\system32\ct_oal.dll
2008-07-11 19:39 13,312 ----a-w C:\WINDOWS\system32\regplib.exe
2008-07-11 19:39 104,448 ----a-w C:\WINDOWS\system32\sfms32.dll
2008-07-11 19:37 5,120 ----a-w C:\WINDOWS\system32\enlocstr.exe
2008-07-11 19:37 10,240 ----a-w C:\WINDOWS\system32\killapps.exe
2008-07-11 19:36 32,768 ----a-w C:\WINDOWS\system32\devreg.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-05-17 23:02 498,096 ----a-w C:\Documents and Settings\EKO\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-10-07 13574144]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
"VolPanel"="C:\Program Files\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 413696]
"nwiz"="nwiz.exe" [2008-10-07 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=dditqh.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
backup=C:\WINDOWS\pss\GetRight - Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^EKO^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^EKO^Start Menu^Programs^Startup^AdsGone.lnk]
path=C:\Documents and Settings\EKO\Start Menu\Programs\Startup\AdsGone.lnk
backup=C:\WINDOWS\pss\AdsGone.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^EKO^Start Menu^Programs^Startup^Palm Registration.lnk]
backup=C:\WINDOWS\pss\Palm Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^EKO^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3 Registration.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MXOBG
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 20:54 623992 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 17:40 1884160 C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]
--a------ 2008-10-31 00:26 716800 C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDefender Antiphishing Helper]
--a------ 2008-08-10 23:53 69632 C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Copperhead]
--a------ 2005-11-25 10:53 155648 C:\Program Files\Razer\Copperhead\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 18:23 102400 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
--------- 2004-11-30 11:00 135168 C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
--------- 2003-06-18 01:00 45056 C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2007-03-15 19:16 454784 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-08-04 17:28 49152 C:\Program Files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2007-03-05 17:57 1103480 C:\Program Files\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomatic_RegFirewall]
--a------ 2008-03-11 01:14 1196032 C:\Program Files\Registry Medic 2008\RegFirewall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
--a------ 2004-12-22 11:21 823296 C:\Program Files\Maxtor\OneTouch\Utils\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-10-07 13:33 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--a------ 2005-02-25 20:28 212992 C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
--a------ 2004-07-26 13:04 159744 C:\Program Files\Saitek\Software\Profiler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCSystem]
--------- 2005-06-16 18:25 49152 C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryCleanerProMFCT]
--a------ 2008-10-16 15:16 13422592 C:\Program Files\RegistryCleanerPro\RegistryCleanerPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
--a------ 2008-02-04 00:23 160592 C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart]
--a------ 2004-07-26 13:04 98304 C:\Program Files\Saitek\Software\SaiSmart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-07-07 09:42 2156368 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-22 14:40 1410296 C:\Program Files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-12-15 03:23 75520 C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-12 00:46 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-06-21 13:14 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
--------- 2006-10-18 21:58 8704 C:\Program Files\Windows Media Connect 2\WMCCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
--a------ 2008-08-21 20:41 981904 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2005-08-07 18:10 16384 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2008-07-11 15:50 19968 C:\WINDOWS\system32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-10-07 13:33 1630208 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 ABIT-IO;ABIT-IO;C:\WINDOWS\system32\Drivers\ABIT-IO.sys [2004-09-10 7680]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-12-01 160792]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-10-31 103944]
R3 UsbFltr;%SvcDisplayName%;C:\WINDOWS\system32\drivers\copperhd.sys [2005-11-02 11596]
S2 BDVEDISK;BDVEDISK;C:\Program Files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-07-02 82568]
S2 CTAudSvcService;Creative Audio Service;C:\Program Files\Creative\Shared Files\CTAudSvc.exe [2008-04-30 425984]
S3 Arrakis3;BitDefender Arrakis Server;C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S3 bdfm;BDFM;C:\WINDOWS\system32\drivers\bdfm.sys [2008-08-12 108864]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-10-24 79360]
S3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2008-07-15 1173016]
S3 SaiHFF0C;SaiHFF0C;C:\WINDOWS\system32\DRIVERS\SaiHFF0C.sys [2004-06-11 56576]
S3 SaiUFF0C;SaiUFF0C;C:\WINDOWS\system32\DRIVERS\SaiUFF0C.sys [2004-06-11 19584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2008-10-31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{e5f1d3d2-73d6-4bd0-800c-8abb3dabf80e} - C:\WINDOWS\system32\dditqh.dll
BHO-{F420CB6C-53DE-4E49-8D7D-96D04FC6C6F3} - C:\WINDOWS\system32\qoMFWOhE.dll
HKLM-Run-DXDllRegExe - dxdllreg.exe
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\EKO\Application Data\Mozilla\Firefox\Profiles\2nq4rui4.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.msn.com
FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Download Manager\npfpdlm.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-31 15:30:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-10-31 15:42:49
ComboFix-quarantined-files.txt 2008-10-31 19:41:47

Pre-Run: 195,686,924,288 bytes free
Post-Run: 195,661,156,352 bytes free

393 --- E O F --- 2008-10-31 14:47:54



======================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:55:59, on 10/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Volume Panel\VolPanlu.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197223370296
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab
O20 - AppInit_DLLs: dditqh.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 10884 bytes
=========================

Edited by eko718, 01 November 2008 - 03:06 PM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:27 AM

Posted 01 November 2008 - 04:52 PM

Hi,

Also, what security risks may I have been exposed to while infected? I am wondering if I need to take other steps to ensure my personal info was not compromised.

It's always a good idea to change your passwords afterwards, just to be on the safe side.

But we're not finished yet, there are still a few leftovers we have to delete.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\DKmonqru.ini
C:\WINDOWS\system32\urqNEUlM.dll
C:\WINDOWS\system32\rqRIaAsP.dll
C:\WINDOWS\system32\khfGxXrR.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Extra note.. I see you have a few "RegistryCleaners" installed. RegistryCleanerPro, Registry Medic 2008,.. Keep in mind that many of these so called Registry Cleaner tools are Rogue applications. Also, I do not recommend Registry Cleaners in general. See here why I do not recommend them: http://miekiemoes.blogspot.com/2008/02/reg...weaking_13.html
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 eko718

eko718
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 01 November 2008 - 07:24 PM

Here you go. Deleted the registry cleaners also....



ComboFix 08-11-01.01 - EKO 2008-11-01 19:54:09.3 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1651 [GMT -4:00]
Running from: C:\Documents and Settings\EKO\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\EKO\Desktop\CFScript.txt

FILE ::
C:\WINDOWS\system32\DKmonqru.ini
C:\WINDOWS\system32\khfGxXrR.dll
C:\WINDOWS\system32\rqRIaAsP.dll
C:\WINDOWS\system32\urqNEUlM.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\DKmonqru.ini
C:\WINDOWS\system32\khfGxXrR.dll
C:\WINDOWS\system32\rqRIaAsP.dll
C:\WINDOWS\system32\urqNEUlM.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-01 to 2008-11-01 )))))))))))))))))))))))))))))))
.

2008-12-01 03:23 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-12-01 03:23 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-12-01 03:23 . 2008-09-08 23:38 88,576 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-12-01 03:23 . 2008-10-01 15:51 87,552 --a------ C:\WINDOWS\system32\VACFix.exe
2008-12-01 03:23 . 2008-10-10 08:58 82,944 --a------ C:\WINDOWS\system32\o4Patch.exe
2008-12-01 03:23 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-12-01 03:23 . 2008-10-10 08:58 82,944 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-12-01 03:23 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-12-01 03:23 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-12-01 03:23 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-12-01 03:23 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-12-01 03:19 . 2008-12-01 03:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-12-01 03:19 . 2008-12-01 03:19 160,792 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-12-01 03:18 . 2008-12-01 03:19 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-12-01 02:02 . 2008-08-25 13:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-12-01 02:02 . 2008-08-25 13:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-12-01 02:02 . 2008-08-25 13:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-12-01 02:02 . 2008-06-02 17:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-12-01 02:01 . 2008-10-31 15:53 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-12-01 02:01 . 2008-12-01 02:01 <DIR> d-------- C:\Documents and Settings\EKO\Application Data\PC Tools
2008-12-01 00:54 . 2008-12-01 03:24 2,272 --a------ C:\WINDOWS\system32\tmp.reg
2008-11-01 17:27 . 2008-11-01 18:38 <DIR> d-------- C:\Documents and Settings\EKO\Application Data\MailFrontier
2008-11-01 17:16 . 2008-11-01 17:24 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-10-31 01:41 . 2008-10-31 01:56 <DIR> d-------- C:\320f802849197d5f73f114
2008-10-30 23:58 . 2008-11-30 15:37 850 --a------ C:\WINDOWS\system32\ProductTweaks.xml
2008-10-30 23:58 . 2008-10-30 23:58 385 --a------ C:\WINDOWS\system32\user_gensett.xml
2008-10-30 23:18 . 2008-10-30 23:18 <DIR> d-------- C:\WINDOWS\system32\logs
2008-10-30 23:15 . 2008-11-01 17:15 <DIR> d-------- C:\Program Files\BitDefender
2008-10-30 23:12 . 2008-11-01 17:15 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-10-30 23:10 . 2008-10-30 23:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-30 23:10 . 2008-10-31 15:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-30 18:54 . 2008-10-30 18:54 <DIR> d--hs---- C:\Documents and Settings\EKO\PrivacIE
2008-10-30 18:35 . 2008-10-30 18:37 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-10-30 18:31 . 2008-11-01 19:46 <DIR> d-------- C:\Program Files\RegistryCleanerPro
2008-10-30 10:57 . 2008-12-01 01:41 <DIR> d-------- C:\Program Files\AdsGone
2008-10-30 10:57 . 2008-10-30 17:23 59 --a------ C:\WINDOWS\WinNetOptimize98ag.cfg
2008-10-30 00:56 . 2008-10-30 00:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-30 00:56 . 2008-10-30 00:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-10-29 17:08 . 2008-10-29 17:08 <DIR> d-------- C:\Documents and Settings\EKO\Application Data\Iomatic
2008-10-29 15:47 . 2008-11-01 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Iomatic
2008-10-29 13:04 . 2008-10-29 13:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-27 13:36 . 2008-11-01 19:49 54,472 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000005-00000000-00000008-00001102-00000005-00231102}.rfx
2008-10-27 13:36 . 2008-11-01 19:49 54,472 --a------ C:\WINDOWS\system32\BMXState-{00000005-00000000-00000008-00001102-00000005-00231102}.rfx
2008-10-27 13:36 . 2008-10-27 13:36 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-10-27 13:36 . 2008-10-27 13:36 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-10-27 13:36 . 2008-11-01 19:49 788 --a------ C:\WINDOWS\system32\DVCState-{00000005-00000000-00000008-00001102-00000005-00231102}.rfx
2008-10-27 13:31 . 2008-10-27 13:31 <DIR> d-------- C:\Program Files\OpenAL
2008-10-27 12:45 . 2008-10-27 12:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative Labs
2008-10-25 22:08 . 1999-12-12 13:01 44,032 --a------ C:\WINDOWS\system32\CTSVCCDA.EXE
2008-10-25 22:08 . 1999-11-17 13:00 25,088 --a------ C:\WINDOWS\system32\CTSVCCTL.EXE
2008-10-25 21:40 . 2005-08-07 17:58 366,041 -ra------ C:\WINDOWS\system32\SET3D.tmp
2008-10-25 21:40 . 2008-07-15 18:08 347,080 --a------ C:\WINDOWS\system32\drivers\ctdvda2k.sys
2008-10-25 21:40 . 2008-07-11 15:40 321,512 --a------ C:\WINDOWS\system32\ctdlang.dat
2008-10-25 21:40 . 2008-07-11 15:53 181,248 --a------ C:\WINDOWS\system32\ctdvinst.dll
2008-10-25 21:40 . 2005-08-07 18:17 134,656 -ra------ C:\WINDOWS\system32\SET6B.tmp
2008-10-25 21:40 . 2008-07-11 15:53 86,016 --a------ C:\WINDOWS\system32\ctcoinst.dll
2008-10-25 21:40 . 2005-08-07 18:17 81,920 -ra------ C:\WINDOWS\system32\SET69.tmp
2008-10-25 21:40 . 2008-07-11 15:39 49,152 --a------ C:\WINDOWS\system32\ctdproxy.dll
2008-10-25 21:40 . 2008-07-11 15:51 34,816 --a------ C:\WINDOWS\system32\a3d.dll
2008-10-25 21:40 . 2005-02-07 17:45 3,128 --a------ C:\WINDOWS\system32\XFi.bmp
2008-10-25 21:40 . 2005-02-07 17:45 766 --a------ C:\WINDOWS\system32\SBXFi.ico
2008-10-25 21:34 . 2008-10-25 22:01 347 --a------ C:\WINDOWS\CTWave32.INI
2008-10-25 21:31 . 2008-10-25 21:31 29 --a------ C:\WINDOWS\sfbm.INI
2008-10-24 18:23 . 2007-02-26 15:24 94,208 --a------ C:\WINDOWS\system32\cttele32.dll
2008-10-24 18:16 . 2008-07-15 01:08 24,089,151 --a------ C:\WINDOWS\system32\AppSetup.exe
2008-10-24 18:05 . 2008-10-24 18:05 <DIR> d-------- C:\Program Files\Common Files\Creative Labs Shared
2008-10-24 17:45 . 2003-06-12 23:25 7,062 --a------ C:\WINDOWS\system32\audiopid.vxd
2008-10-23 20:14 . 2008-10-23 20:14 <DIR> d-------- C:\NVIDIA
2008-10-23 20:10 . 2008-10-23 20:10 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-10-22 15:11 . 2008-10-22 15:11 <DIR> d-------- C:\Documents and Settings\EKO\Application Data\2K Sports
2008-10-22 14:40 . 2008-11-01 16:36 <DIR> d-------- C:\Program Files\Steam
2008-10-07 13:33 . 2008-10-07 13:33 3,989,504 --a------ C:\WINDOWS\system32\nvdisps.dll
2008-10-07 13:33 . 2008-10-07 13:33 3,764,224 --a------ C:\WINDOWS\system32\nvvitvs.dll
2008-10-07 13:33 . 2008-10-07 13:33 3,444,736 --a------ C:\WINDOWS\system32\nvgames.dll
2008-10-07 13:33 . 2008-10-07 13:33 2,686,976 --a------ C:\WINDOWS\system32\nvwss.dll
2008-10-07 13:33 . 2008-10-07 13:33 1,368,064 --a------ C:\WINDOWS\system32\nvcuda.dll
2008-10-07 13:33 . 2008-10-07 13:33 1,257,472 --a------ C:\WINDOWS\system32\nvmobls.dll
2008-10-07 13:33 . 2008-10-07 13:33 797,216 --a------ C:\WINDOWS\system32\nvcplui.exe
2008-10-07 13:33 . 2008-10-07 13:33 475,136 --a------ C:\WINDOWS\system32\nvapi.dll
2008-10-07 13:33 . 2008-10-07 13:33 420,384 --a------ C:\WINDOWS\system32\nvcpl.cpl
2008-10-07 13:33 . 2008-10-07 13:33 229,376 --a------ C:\WINDOWS\system32\nvmccs.dll
2008-10-07 13:33 . 2008-10-07 13:33 188,416 --a------ C:\WINDOWS\system32\nvmccss.dll
2008-10-07 13:33 . 2008-10-07 13:33 45,056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2008-10-04 20:10 . 2008-10-04 20:11 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-10-04 12:42 . 2008-10-04 12:42 <DIR> d-------- C:\2f0cb8615059a3c15c7b92fa54a47542

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 22:28 2,467,328 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-11-01 23:49 144,572 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-11-01 23:49 10,714,400 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-11-01 20:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-31 14:01 --------- d-----w C:\Program Files\Viewpoint
2008-10-30 21:23 58,707 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_10_30_17_21_59_small.dmp.zip
2008-10-29 17:46 --------- d-----w C:\Program Files\Download Manager
2008-10-29 03:10 --------- d-----w C:\Documents and Settings\EKO\Application Data\LimeWire
2008-10-28 14:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-10-27 17:32 --------- d-----w C:\Program Files\Creative
2008-10-27 17:31 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-10-27 17:31 110,592 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-10-27 17:31 --------- d-----w C:\Documents and Settings\EKO\Application Data\Creative
2008-10-27 16:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-27 16:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-10-26 01:40 3,359,744 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-10-26 01:40 2,298,368 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-10-24 00:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-22 14:19 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-10-09 18:25 73,104 ----a-w C:\WINDOWS\zllsputility.exe
2008-10-09 18:25 1,221,008 ----a-w C:\WINDOWS\system32\zpeng25.dll
2008-10-05 00:25 --------- d-----w C:\Program Files\Yahoo!
2008-10-02 14:07 453,152 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-09-28 01:51 35,513,737 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-09-26 02:01 1,640,448 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-09-19 15:31 --------- d-----w C:\Program Files\GetRight
2008-09-18 13:53 --------- d-----w C:\Program Files\Dearborn
2008-09-16 01:21 --------- d-----w C:\Program Files\Raptor
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-08-29 15:22 56,912 ----a-w C:\Documents and Settings\EKO\g2mdlhlpx.exe
2008-08-22 07:08 878,592 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-22 07:08 43,008 ----a-w C:\WINDOWS\system32\licmgr10.dll
2008-08-22 07:07 18,944 ----a-w C:\WINDOWS\system32\corpol.dll
2008-08-22 07:06 72,704 ----a-w C:\WINDOWS\system32\admparse.dll
2008-08-22 07:06 71,680 ----a-w C:\WINDOWS\system32\iesetup.dll
2008-08-22 07:06 434,176 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-08-22 07:05 48,640 ----a-w C:\WINDOWS\system32\PrivacIE.dll
2008-08-22 07:05 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2008-08-22 07:05 35,840 ----a-w C:\WINDOWS\system32\imgutil.dll
2008-08-22 07:04 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2008-08-22 06:57 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-08-05 21:55 265,720 ----a-w C:\WINDOWS\system32\msdbg2.dll
2008-05-17 23:02 498,096 ----a-w C:\Documents and Settings\EKO\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-10-31_15.41.25.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 03:01:58 147,984 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2008-09-18 22:15:14 148,496 ----a-w C:\WINDOWS\system32\drivers\klif.sys
- 2008-08-22 00:41:08 107,408 ----a-w C:\WINDOWS\system32\vsdata.dll
+ 2008-10-09 18:25:20 107,408 ----a-w C:\WINDOWS\system32\vsdata.dll
- 2008-08-22 00:41:40 353,680 ----a-w C:\WINDOWS\system32\vsdatant.sys
+ 2008-10-09 18:25:36 353,680 ----a-w C:\WINDOWS\system32\vsdatant.sys
- 2008-08-22 00:41:08 215,440 ----a-w C:\WINDOWS\system32\vsinit.dll
+ 2008-10-09 18:25:20 216,464 ----a-w C:\WINDOWS\system32\vsinit.dll
- 2008-08-22 00:41:10 107,408 ----a-w C:\WINDOWS\system32\vsmonapi.dll
+ 2008-10-09 18:25:22 107,408 ----a-w C:\WINDOWS\system32\vsmonapi.dll
- 2008-08-22 00:41:10 310,160 ----a-w C:\WINDOWS\system32\vspubapi.dll
+ 2008-10-09 18:25:22 310,160 ----a-w C:\WINDOWS\system32\vspubapi.dll
- 2008-08-22 00:41:10 58,768 ----a-w C:\WINDOWS\system32\vsregexp.dll
+ 2008-10-09 18:25:22 58,768 ----a-w C:\WINDOWS\system32\vsregexp.dll
- 2008-08-22 00:41:10 475,536 ----a-w C:\WINDOWS\system32\vsutil.dll
+ 2008-10-09 18:25:22 475,536 ----a-w C:\WINDOWS\system32\vsutil.dll
- 2008-08-22 00:41:12 30,096 ----a-w C:\WINDOWS\system32\vswmi.dll
+ 2008-10-09 18:25:22 30,096 ----a-w C:\WINDOWS\system32\vswmi.dll
- 2008-08-22 00:41:12 110,480 ----a-w C:\WINDOWS\system32\vsxml.dll
+ 2008-10-09 18:25:24 110,480 ----a-w C:\WINDOWS\system32\vsxml.dll
- 2008-08-22 00:41:12 69,008 ----a-w C:\WINDOWS\system32\zlcomm.dll
+ 2008-10-09 18:25:24 69,008 ----a-w C:\WINDOWS\system32\zlcomm.dll
- 2008-08-22 00:41:12 106,384 ----a-w C:\WINDOWS\system32\zlcommdb.dll
+ 2008-10-09 18:25:24 106,384 ----a-w C:\WINDOWS\system32\zlcommdb.dll
- 2008-10-14 14:25:12 4,212 ---ha-w C:\WINDOWS\system32\zllictbl.dat
+ 2008-11-01 21:21:24 4,212 ---ha-w C:\WINDOWS\system32\zllictbl.dat
- 2008-08-22 00:41:02 395,152 ----a-w C:\WINDOWS\system32\ZoneLabs\av.dll
+ 2008-10-09 18:25:16 395,664 ----a-w C:\WINDOWS\system32\ZoneLabs\av.dll
- 2008-10-31 19:23:56 858,884 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-11-01 23:51:58 41,836 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-08-22 00:41:02 76,176 ----a-w C:\WINDOWS\system32\ZoneLabs\camupd.dll
+ 2008-10-09 18:25:18 76,176 ----a-w C:\WINDOWS\system32\ZoneLabs\camupd.dll
- 2008-08-22 00:41:04 98,192 ----a-w C:\WINDOWS\system32\ZoneLabs\fbl.dll
+ 2008-10-09 18:25:18 98,192 ----a-w C:\WINDOWS\system32\ZoneLabs\fbl.dll
- 2008-08-22 00:41:04 38,288 ----a-w C:\WINDOWS\system32\ZoneLabs\featuremap.dll
+ 2008-10-09 18:25:18 38,288 ----a-w C:\WINDOWS\system32\ZoneLabs\featuremap.dll
- 2008-08-22 00:41:04 158,608 ----a-w C:\WINDOWS\system32\ZoneLabs\httpblocker.dll
+ 2008-10-09 18:25:18 159,120 ----a-w C:\WINDOWS\system32\ZoneLabs\httpblocker.dll
- 2008-08-22 00:41:42 28,048 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\Alert.zip.dll
+ 2008-10-09 18:25:40 28,048 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\Alert.zip.dll
- 2008-08-22 00:41:42 322,960 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2008-10-09 18:25:40 322,960 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
- 2008-08-22 00:41:44 125,328 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\DashBoard.zip.dll
+ 2008-10-09 18:25:40 125,328 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\DashBoard.zip.dll
- 2008-08-22 00:41:44 331,664 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\LicenseUI.zip.dll
+ 2008-10-09 18:25:40 331,664 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\LicenseUI.zip.dll
- 2008-08-22 00:41:44 10,128 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\MainLoop.zip.dll
+ 2008-10-09 18:25:40 10,128 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\MainLoop.zip.dll
- 2008-08-22 00:41:44 17,808 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\NavBar.zip.dll
+ 2008-10-09 18:25:40 17,808 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\NavBar.zip.dll
- 2008-08-22 00:41:44 110,992 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\Overview.zip.dll
+ 2008-10-09 18:25:42 110,992 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\Overview.zip.dll
- 2008-08-22 00:41:44 238,992 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\Sandbox.zip.dll
+ 2008-10-09 18:25:42 238,992 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\Sandbox.zip.dll
- 2008-08-22 00:41:44 156,048 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\TrayTest.zip.dll
+ 2008-10-09 18:25:42 156,048 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\TrayTest.zip.dll
- 2008-08-22 00:41:46 19,856 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\UpdateUI.zip.dll
+ 2008-10-09 18:25:42 19,856 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\UpdateUI.zip.dll
- 2008-08-22 00:41:46 43,920 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ZAlert.zip.dll
+ 2008-10-09 18:25:42 43,920 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ZAlert.zip.dll
- 2008-08-22 00:41:46 19,344 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zic.zip.dll
+ 2008-10-09 18:25:42 19,344 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zic.zip.dll
- 2008-08-22 00:41:46 13,712 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zmenu.zip.dll
+ 2008-10-09 18:25:42 13,712 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zmenu.zip.dll
- 2008-08-22 00:41:46 24,464 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zp4pc.zip.dll
+ 2008-10-09 18:25:42 24,464 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zp4pc.zip.dll
- 2008-08-22 00:41:46 30,608 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zpdp.zip.dll
+ 2008-10-09 18:25:42 30,608 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zpdp.zip.dll
- 2008-08-22 00:41:46 1,536,400 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
+ 2008-10-09 18:25:42 1,536,400 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
- 2008-08-22 00:41:48 18,832 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zsys.zip.dll
+ 2008-10-09 18:25:42 18,832 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zsys.zip.dll
- 2008-08-22 00:41:48 70,032 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ztv.zip.dll
+ 2008-10-09 18:25:44 70,032 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ztv.zip.dll
- 2008-08-22 00:41:48 114,064 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
+ 2008-10-09 18:25:44 114,064 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
- 2008-08-22 00:41:48 59,792 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zvpn.zip.dll
+ 2008-10-09 18:25:44 59,792 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zvpn.zip.dll
- 2008-08-22 00:41:06 132,496 ----a-w C:\WINDOWS\system32\ZoneLabs\scheduler.dll
+ 2008-10-09 18:25:20 132,496 ----a-w C:\WINDOWS\system32\ZoneLabs\scheduler.dll
- 2008-10-28 14:19:28 10,213,404 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-11-01 21:45:58 10,244,586 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
- 2008-09-26 21:22:57 9,900,691 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware0.dat
+ 2008-11-01 21:45:46 9,900,691 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware0.dat
- 2008-08-22 00:41:06 443,280 ----a-w C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2008-10-09 18:25:20 443,280 ----a-w C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
- 2008-08-22 00:41:30 176,016 ----a-w C:\WINDOWS\system32\ZoneLabs\updclient.exe
+ 2008-10-09 18:25:32 176,016 ----a-w C:\WINDOWS\system32\ZoneLabs\updclient.exe
- 2008-08-22 00:41:08 106,896 ----a-w C:\WINDOWS\system32\ZoneLabs\vsdb.dll
+ 2008-10-09 18:25:20 106,896 ----a-w C:\WINDOWS\system32\ZoneLabs\vsdb.dll
- 2008-08-22 00:41:32 2,405,776 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2008-10-09 18:25:32 2,405,776 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmon.exe
- 2008-08-22 00:41:10 1,655,184 ----a-w C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2008-10-09 18:25:22 1,655,184 ----a-w C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
- 2008-08-22 00:41:10 172,432 ----a-w C:\WINDOWS\system32\ZoneLabs\vsvault.dll
+ 2008-10-09 18:25:22 172,432 ----a-w C:\WINDOWS\system32\ZoneLabs\vsvault.dll
- 2008-08-22 00:41:12 178,576 ----a-w C:\WINDOWS\system32\ZoneLabs\zlparser.dll
+ 2008-10-09 18:25:24 178,576 ----a-w C:\WINDOWS\system32\ZoneLabs\zlparser.dll
- 2008-08-22 00:41:14 98,192 ----a-w C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
+ 2008-10-09 18:25:24 98,192 ----a-w C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
- 2008-08-22 00:41:14 311,696 ----a-w C:\WINDOWS\system32\ZoneLabs\zlsre.dll
+ 2008-10-09 18:25:24 311,696 ----a-w C:\WINDOWS\system32\ZoneLabs\zlsre.dll
- 2008-08-22 00:41:16 110,480 ----a-w C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
+ 2008-10-09 18:25:24 110,480 ----a-w C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-10-07 13574144]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
"VolPanel"="C:\Program Files\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 413696]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"nwiz"="nwiz.exe" [2008-10-07 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=dditqh.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
backup=C:\WINDOWS\pss\GetRight - Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^EKO^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^EKO^Start Menu^Programs^Startup^AdsGone.lnk]
path=C:\Documents and Settings\EKO\Start Menu\Programs\Startup\AdsGone.lnk
backup=C:\WINDOWS\pss\AdsGone.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^EKO^Start Menu^Programs^Startup^Palm Registration.lnk]
backup=C:\WINDOWS\pss\Palm Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^EKO^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3 Registration.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MXOBG
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 20:54 623992 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 17:40 1884160 C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Copperhead]
--a------ 2005-11-25 10:53 155648 C:\Program Files\Razer\Copperhead\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 18:23 102400 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
--------- 2004-11-30 11:00 135168 C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
--------- 2003-06-18 01:00 45056 C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2007-03-15 19:16 454784 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-08-04 17:28 49152 C:\Program Files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2007-03-05 17:57 1103480 C:\Program Files\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
--a------ 2004-12-22 11:21 823296 C:\Program Files\Maxtor\OneTouch\Utils\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-10-07 13:33 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--a------ 2005-02-25 20:28 212992 C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
--a------ 2004-07-26 13:04 159744 C:\Program Files\Saitek\Software\Profiler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCSystem]
--------- 2005-06-16 18:25 49152 C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
--a------ 2008-02-04 00:23 160592 C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart]
--a------ 2004-07-26 13:04 98304 C:\Program Files\Saitek\Software\SaiSmart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-07-07 09:42 2156368 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-22 14:40 1410296 C:\Program Files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-12-15 03:23 75520 C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-12 00:46 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-06-21 13:14 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
--------- 2006-10-18 21:58 8704 C:\Program Files\Windows Media Connect 2\WMCCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
--a------ 2008-10-09 14:25 981904 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2005-08-07 18:10 16384 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2008-07-11 15:50 19968 C:\WINDOWS\system32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-10-07 13:33 1630208 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 ABIT-IO;ABIT-IO;C:\WINDOWS\system32\Drivers\ABIT-IO.sys [2004-09-10 7680]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-12-01 160792]
R3 UsbFltr;%SvcDisplayName%;C:\WINDOWS\system32\drivers\copperhd.sys [2005-11-02 11596]
S2 CTAudSvcService;Creative Audio Service;C:\Program Files\Creative\Shared Files\CTAudSvc.exe [2008-04-30 425984]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-10-24 79360]
S3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2008-07-15 1173016]
S3 SaiHFF0C;SaiHFF0C;C:\WINDOWS\system32\DRIVERS\SaiHFF0C.sys [2004-06-11 56576]
S3 SaiUFF0C;SaiUFF0C;C:\WINDOWS\system32\DRIVERS\SaiUFF0C.sys [2004-06-11 19584]
.
Contents of the 'Scheduled Tasks' folder

2008-10-31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-BDAgent - C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
MSConfigStartUp-BitDefender Antiphishing Helper - C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe
MSConfigStartUp-Iomatic_RegFirewall - C:\Program Files\Registry Medic 2008\RegFirewall.exe
MSConfigStartUp-RegistryCleanerProMFCT - C:\Program Files\RegistryCleanerPro\RegistryCleanerPro.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-01 20:01:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-11-01 20:12:30
ComboFix-quarantined-files.txt 2008-11-02 00:11:28

Pre-Run: 201,099,161,600 bytes free
Post-Run: 201,122,430,976 bytes free

419 --- E O F --- 2008-11-01 20:17:25



===========================

===========================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:20:32 PM, on 11/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Volume Panel\VolPanlu.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197223370296
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab
O20 - AppInit_DLLs: dditqh.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9866 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:27 AM

Posted 02 November 2008 - 03:08 AM

Hi,

I think the Registry:: part in the CFScript wasn't copied and pasted properly, but that's not an issue, we can delete the registryleftover via HijackThis as well.

Check and fix next entry in HijackThis:

O20 - AppInit_DLLs: dditqh.dll

Then, Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 10.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 10".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 eko718

eko718
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 02 November 2008 - 12:23 PM

The first time I ran ComboFix the popups stopped finally and my system was running normally it seemed, and my system seems fine now
after having completed the remaining steps. My ZoneAlarm ran a virus scan by itself and detected smitfraudfix(a program I had downloaded in an attempt to rid of the virus myself prior to your recommendations) as a threat. I also downloaded spyware doctor.... Should I delete these programs? But my system seems fine now otherwise; thank you for your help.

Edited by eko718, 02 November 2008 - 12:24 PM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:27 AM

Posted 02 November 2008 - 12:37 PM

Hi,

It's still a pity that some programs detect smitfraudfix as being malicious while they are not. Anyway, you can let it delete what it has found, since you won't need those programs anyway. :thumbsup:

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:27 AM

Posted 05 November 2008 - 10:57 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users