Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus over here, virus over there... str*.tmp and friends


  • Please log in to reply
9 replies to this topic

#1 Xiggie

Xiggie

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 01 November 2008 - 03:29 PM

I have been besieged with viruses. I normally run 20 or 21 processes at boot up. Last night i was at 52. I have run spybotSD, superantispyware and malwarebytes to no avail. I have researched and researched and not found an answer to this. I think the reason might be that I prolly have several viruses. Either way, here is my malwarebytes log and I will include a hijack this log as well below it. Thanks in advance for any help. I am usually pretty good and researching and finding solutions but this one has got me. I did have a hijackthis log but it wont let me post it cause it is an older version. I downloaded the newer version but I can't get it to work because this virus is not allowing me to run Hijackthis anymore.

MALWAREBYTES LOG

Malwarebytes' Anti-Malware 1.30
Database version: 1352
Windows 5.1.2600 Service Pack 3

11/1/2008 2:55:14 PM
mbam-log-2008-11-01 (14-55-14).txt

Scan type: Full Scan (C:|)
Objects scanned: 137330
Time elapsed: 1 hour(s), 50 minute(s), 50 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 2
Registry Keys Infected: 33
Registry Values Infected: 9
Registry Data Items Infected: 4
Folders Infected: 13
Files Infected: 51

Memory Processes Infected:
C:Program FilesGetPackGetPack23.exe (Trojan.Agent) -> Unloaded process successfully.
C:Documents and SettingsXiggieApplication DataSpeedRunnerSpeedRunner.exe (Adware.SurfAccuracy) -> Unloaded process successfully.
C:Documents and SettingsXiggieApplication DataGoolGool.exe (Trojan.Agent) -> Unloaded process successfully.
C:WINDOWSsystem32brastk.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:Program FilesWebtoolswebtools.dll (Trojan.BHO) -> Delete on reboot.
C:Program FilesMjcoreMjcore.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOTTypeLib{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTInterface{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTCLSID{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTbho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTTypeLib{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTInterface{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTCLSID{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTbho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTtestcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTtestcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTAppID{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTAppID{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{0354731f-950c-4a53-bc2b-132b5ee6b0fa} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{a3ed5288-f558-4f6e-8d5c-740cb6f89029} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallicheck (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallOINAnalytics (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTAppIDOINAnalytics.DLL (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTAppIDBHO_MyJavaCore.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTAppIDtestCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMRSoft (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREtdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftcontim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallOuterinfo (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{6b221e01-f517-4959-8c41-81948e7f2f17} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTCLSID{6b221e01-f517-4959-8c41-81948e7f2f17} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunfacegame (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionRunfacegame (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionRunikio (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionRungetpack23 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionRunspeedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_USERS.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionRungool (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRuncsrcs (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionRunbrastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunbrastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerSearchURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerMainDefault_Search_URL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerMainSearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerSearchUrlw (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:Program FilesOuterinfo (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:Program FilesOuterinfoFF (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:Program FilesOuterinfoFFcomponents (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:Program FilesInetGet2 (Trojan.Downloader) -> Delete on reboot.
C:Program FilesWebtools (Trojan.Agent) -> Delete on reboot.
C:Program FilesOINAnalytics (Trojan.Agent) -> Delete on reboot.
C:Program FilesGetPack (Trojan.Agent) -> Quarantined and deleted successfully.
C:Program FilesiCheck (Trojan.Agent) -> Quarantined and deleted successfully.
C:Program FilesMjcore (Trojan.BHO) -> Delete on reboot.
C:Documents and SettingsXiggieStart MenuProgramsOuterinfo (Malware.Trace) -> Quarantined and deleted successfully.
C:Documents and SettingsXiggieApplication DataFacegame (Trojan.Agent) -> Delete on reboot.
C:Documents and SettingsXiggieApplication Dataspeedrunner (Adware.SurfAccuracy) -> Delete on reboot.
C:Documents and SettingsXiggieApplication DataGool (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:Program FilesWebtoolswebtools.dll (Trojan.BHO) -> Delete on reboot.
C:Documents and SettingsXiggieApplication DataFacegameFacegame.exe (Trojan.Agent) -> Delete on reboot.
C:Program FilesMjcoreMjcore.dll (Trojan.BHO) -> Delete on reboot.
C:Documents and SettingsXiggieLocal SettingsTemporary Internet FilesContent.IE5AM93KF3T152[1].net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:Documents and SettingsXiggieLocal SettingsTemporary Internet FilesContent.IE5AM93KF3T156[1].net (Trojan.Dropper) -> Quarantined and deleted successfully.
C:Documents and SettingsXiggieLocal SettingsTemporary Internet FilesContent.IE5AM93KF3T158[1].net (Adware.ISM) -> Quarantined and deleted successfully.
C:Documents and SettingsXiggieLocal SettingsTemporary Internet FilesContent.IE5AQCPK7NP103[1].net (Trojan.Dropper) -> Quarantined and deleted successfully.
C:Documents and SettingsXiggieLocal SettingsTemporary Internet FilesContent.IE5AQCPK7NP116[1].net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:Documents and SettingsXiggieLocal SettingsTemporary Internet FilesContent.IE5AQCPK7NP157[1].net (Trojan.Dropper) -> Quarantined and deleted successfully.
C:Documents and SettingsXiggieLocal SettingsTemporary Internet FilesContent.IE5IK2QOIHU104[1].net (Trojan.Dropper) -> Quarantined and deleted successfully.
C:Documents and SettingsXiggieLocal SettingsTemporary Internet FilesContent.IE5IK2QOIHU155[1].net (Trojan.Dropper) -> Quarantined and deleted successfully.
C:System Volume Information_restore{9992BE0A-5973-429D-AECA-90C0F36E7F3E}RP128A0018855.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:WINDOWSkarna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:WINDOWSsystem32ccejxc.dll (Adware.ClickSpring) -> Delete on reboot.
C:WINDOWSsystem32karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:WINDOWSsystem32driversRUTOMRUR.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:WINDOWSTempstf2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:WINDOWSTempVRT1.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:WINDOWSTemp__15.tmp (Trojan.Dropper) -> Delete on reboot.
C:WINDOWSTemp__17.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:WINDOWSTemp__C.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:WINDOWSTemp__D.tmp (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:Program FilesOuterinfoTerms.rtf (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:Program FilesOuterinfoFFchrome.manifest (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:Program FilesOuterinfoFFinstall.rdf (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:Program FilesOuterinfoFFcomponentsFF.dll (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:Program FilesOuterinfoFFcomponentsOuterinfoAds.xpt (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:Program FilesInetGet2stub109_4_0_4_0.exe (Trojan.Downloader) -> Delete on reboot.
C:Program FilesOINAnalyticsOINAnalytics2.dll (Trojan.Agent) -> Delete on reboot.
C:Program FilesOINAnalyticsUninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:Program FilesGetPackdictame.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:Program FilesGetPackGetPack23.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:Program FilesGetPacktrgtame.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:Program FilesiCheckiCheck.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:Program FilesiCheckUninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:Documents and SettingsXiggieStart MenuProgramsOuterinfoTerms.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:Documents and SettingsXiggieStart MenuProgramsOuterinfoUninstall.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:Documents and SettingsXiggieApplication Dataspeedrunnerconfig.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:Documents and SettingsXiggieApplication DataspeedrunnerSpeedRunner.exe (Adware.SurfAccuracy) -> Delete on reboot.
C:Documents and SettingsXiggieApplication DataspeedrunnerSRUninstall.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:Documents and SettingsXiggieApplication DataGoolGool.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:WINDOWSsystem32csrcs.exe (Trojan.Agent) -> Delete on reboot.
C:WINDOWSsystem32driversbeep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:WINDOWSsystem32dllcachebeep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:Program FilesMozilla Firefoxcomponentssrff.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:WINDOWSbrastk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:WINDOWSsystem32brastk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:Program FilesCommon FilesYazzle3090OinAdmin.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:Program FilesCommon FilesYazzle3090OinUninstaller.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:WINDOWSsystem32TDSSofxh.dll (Rootkit.Agent) -> Delete on reboot.
C:WINDOWSsystem32driversTDSSmqlt.sys (Rootkit.Agent) -> Delete on reboot.

I changed the name of hijackthis first to HJT, it still didnt work. then I changed the name of it to sneaky and now it works. Here is my current hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:20 PM, on 11/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesTrend Microsneaky bastardsneaky.exe

R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [LXCFCATS] rundll32 C:WINDOWSSystem32spoolDRIVERSW32X863LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [brastk] brastk.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKUSS-1-5-18..Run: [SfKg6wIP] C:Documents and SettingsXiggieApplication DataMicrosoftWindowsefteve.exe (User 'SYSTEM')
O4 - HKUSS-1-5-18..Run: [Aida] "C:DOCUME~1XiggieAPPLIC~1ICROSO~1.NETrundll.exe" -vt yazb (User 'SYSTEM')
O4 - HKUSS-1-5-18..Run: [Gtmulgro] "C:Documents and SettingsXiggieMy Documents?dober?gsvr32.exe" (User 'SYSTEM')
O4 - HKUSS-1-5-18..Run: [brastk] C:WINDOWSsystem32brastk.exe (User 'SYSTEM')
O4 - HKUSS-1-5-18..Run: [Facegame] "C:Documents and SettingsXiggieApplication DataFacegameFacegame.exe" 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [SfKg6wIP] C:Documents and SettingsXiggieApplication DataMicrosoftWindowsefteve.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O8 - Extra context menu item: Enqueue current page with Bulk Image Downloader - file://C:Program FilesBulk Image Downloaderiemenuiebidqueue.htm
O8 - Extra context menu item: Enqueue link target with Bulk Image Downloader - file://C:Program FilesBulk Image Downloaderiemenuiebidlinkqueue.htm
O8 - Extra context menu item: Open current page with Bulk Image Downloader - file://C:Program FilesBulk Image Downloaderiemenuiebid.htm
O8 - Extra context menu item: Open link target with Bulk Image Downloader - file://C:Program FilesBulk Image Downloaderiemenuiebidlink.htm
O8 - Extra context menu item: Save Flash - res://C:Program FilesUnH SolutionsFlash Saving PluginFlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_06binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_06binssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:Program FilesUnH SolutionsFlash Saving PluginFlashSButton.dll (HKCU)
O15 - Trusted Zone: http://s2.travian.us
O15 - Trusted Zone: http://s3.travian.us
O15 - Trusted Zone: http://s4.travian.us
O15 - Trusted Zone: http://s5.travian.us
O15 - Trusted Zone: http://s6.travian.us
O15 - Trusted Zone: http://speed.travian.us
O15 - Trusted Zone: http://www.travian.us
O16 - DPF: Yahoo! Dominoes - http://download2.games.yahoo.com/games/clients/y/dot9_x.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167927348542
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168298813062
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity3000unlimited.ea.com/us/guid...yx/SimCityX.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.llnwd.net/o1/NBCUniversal..._2_2_Silent.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.llnwd.net/o1/NBCUniversal...sal_1_0_0_7.cab
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: !SASWinLogon - C:Program FilesSUPERAntiSpywareSASWINLO.dll

--
End of file - 6095 bytes

Merged posts. ~ OB

Edited by Orange Blossom, 01 November 2008 - 08:20 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 PM

Posted 02 November 2008 - 03:21 PM

Hi.

I'm Extremeboy (or EB for short) and I will be helping you with your log.

I will need some time to look over your computer's log(s). You may want to keep the link to this topic in your favorites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, to track your topic. The topics you are tracking can be found here.

Please take note of a few guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
Download and Run RSIT
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both
    log.txt (<<will be maximized)
    info.txt (<<will be minimized)
The RSIT logs can also be found in the folder, C:\RSIT


Important Note: For other users who are reading this topic,the instructions provided in this topic are for the original topic starter ONLY. Even if you have similar problems or even log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic and feel free to link to any relevant topics as needed.Please Do NOT follow the instructions provided for this topic.

Thanks :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Xiggie

Xiggie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 02 November 2008 - 09:59 PM

First off let me say thank you for your help in this matter. I have always been able to rectify my computer issues using various searches but this one is beyond me. I have refrained from using my computer for the most part and have left it on but it does restart randomly. Before I got your message I ran spybot SD once more but it came up with only cache items. I did however delete a few things that I saw in regedit that had the brastk.exe mark on them. If you need the exact location I deleted them from I can post that. Other than that I have not ran any other progs on my computer. Just before I Contracted the viruses I was downloading programs from mininova. I deleted all the files that I had downloaded from there even though I had only opened one of them. I have also had to continually re-enable my firewall upon every re-boot. I also updated my computer via windows update. I have none of this has messed you up but I wanted to provide you every bit of info I could think of. Now that I have read your post I assure you I will not make any changes at all with my computer unless instructed to do so until we are sure this is gone from my computer. Incidentally I have not entered any passwords nor visited any secure sites since contracting these viruses. I am posting the logs you requested at the bottom of this message. Again. thank you.

Logfile of random's system information tool 1.04 (written by random/random)
Run by Xiggie at 2008-11-02 21:45:30
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 8 GB (13%) free of 57 GB
Total RAM: 1023 MB (60% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:43 PM, on 11/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Xiggie\Desktop\RSIT.exe
C:\Program Files\trend micro\Xiggie.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [brastk] brastk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [SfKg6wIP] C:\Documents and Settings\Xiggie\Application Data\Microsoft\Windows\efteve.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Aida] "C:\DOCUME~1\Xiggie\APPLIC~1\ICROSO~1.NET\rundll.exe" -vt yazb (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Gtmulgro] "C:\Documents and Settings\Xiggie\My Documents\?dobe\r?gsvr32.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Facegame] "C:\WINDOWS\system32\config\systemprofile\Application Data\Facegame\Facegame.exe" 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SfKg6wIP] C:\Documents and Settings\Xiggie\Application Data\Microsoft\Windows\efteve.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Enqueue current page with Bulk Image Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidqueue.htm
O8 - Extra context menu item: Enqueue link target with Bulk Image Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlinkqueue.htm
O8 - Extra context menu item: Open current page with Bulk Image Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebid.htm
O8 - Extra context menu item: Open link target with Bulk Image Downloader - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlink.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O15 - Trusted Zone: http://s2.travian.us
O15 - Trusted Zone: http://s3.travian.us
O15 - Trusted Zone: http://s4.travian.us
O15 - Trusted Zone: http://s5.travian.us
O15 - Trusted Zone: http://s6.travian.us
O15 - Trusted Zone: http://speed.travian.us
O15 - Trusted Zone: http://www.travian.us
O16 - DPF: Yahoo! Dominoes - http://download2.games.yahoo.com/games/clients/y/dot9_x.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167927348542
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168298813062
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity3000unlimited.ea.com/us/guid...yx/SimCityX.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.llnwd.net/o1/NBCUniversal..._2_2_Silent.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.llnwd.net/o1/NBCUniversal...sal_1_0_0_7.cab
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

--
End of file - 6107 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-22 7700480]
"nwiz"=nwiz.exe /install []
"LXCFCATS"=rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-10-22 86016]
"brastk"=C:\WINDOWS\system32\brastk.exe [2008-11-02 30720]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 24064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMd3cded04]
C:\WINDOWS\system32\irrficvj.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brastk]
C:\WINDOWS\system32\brastk.exe [2008-11-02 30720]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BroadCamRun]
C:\Program Files\NCH Software\BroadCam\broadCam.exe -logon []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-13 24064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d0fede98]
C:\WINDOWS\system32\wgfxdiyv.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-04-01 499144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]
DevDetect.exe -autorun []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-03-11 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd]
C:\DOCUME~1\Xiggie\LOCALS~1\Temp\csrssc.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ksjf93orkekfniw73nfdd]
C:\DOCUME~1\Xiggie\LOCALS~1\Temp\winlogen.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe [2007-07-25 563984]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
C:\Program Files\Logitech\QuickCam\Quickcam.exe [2007-07-25 2027792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lpdckijo]
C:\WINDOWS\lpdckijo.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBCUniversal Media Manager Tray]
C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe /CustomId:NBCUniversal []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe [2007-09-04 94208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-09-06 425984]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2005-01-12 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rs32net]
C:\WINDOWS\System32\rs32net.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe [2008-03-25 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-02-24 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
C:\Program Files\mobile PhoneTools\WatchDog.exe [2004-08-14 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE [2007-05-10 738968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]
C:\PROGRA~1\Belkin\USBF5D~1\WIRELE~1\BELKIN~1.EXE [2005-10-28 1417216]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [2007-03-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Xiggie^Start Menu^Programs^Startup^MagicDisc.lnk]
C:\PROGRA~1\MAGICD~1\MAGICD~1.EXE [2008-07-28 587776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Xiggie^Start Menu^Programs^Startup^VirtuaGirl2.lnk]
C:\PROGRA~1\Vg\VIRTUA~1.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Xiggie^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
C:\mysql\bin\winmysqladmin.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2
"MySql"=2
"lxcf_device"=3
"CPUCooLServer"=2
"LVSrvLauncher"=2
"WMPNetworkSvc"=3
"usnjsvc"=3
"LVPrcSrv"=2
"LVCOMSer"=2
"BroadCamService"=2
"WLSetupSvc"=3
"NVSvc"=2
"nTuneService"=2
"MySQL5"=2
"MySQL51"=2
"MySQL501"=2
"FLEXnet Licensing Service"=3
"Bonjour Service"=2
"npkcmsvc"=2
"AdobeActiveFileMonitor6.0"=2
"psyche"=2
"icf"=2
"fci"=2
"aawservice"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="karna.dat"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-07-23 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\urqOGVOh

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati1glxx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ati1glxx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\utorrent\utorrent.exe"="C:\Program Files\utorrent\utorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\World of Warcraft\WoW.exe"="C:\Program Files\World of Warcraft\WoW.exe:*:Enabled:World of Warcraft"
"C:\Program Files\EA Games\Command and Conquer Generals\generals.exe"="C:\Program Files\EA Games\Command and Conquer Generals\generals.exe:*:Enabled:Command & Conquer Generals"
"C:\Program Files\EA Games\Command and Conquer Generals\WorldBuilder.exe"="C:\Program Files\EA Games\Command and Conquer Generals\WorldBuilder.exe:*:Enabled:Command & Conquer Generals Worldbuilder"
"C:\Program Files\EA Games\Command & Conquer Generals Zero Hour\generals.exe"="C:\Program Files\EA Games\Command & Conquer Generals Zero Hour\generals.exe:*:Enabled:Command and ConquerTM Generals Zero Hour"
"C:\Program Files\EA Games\Command & Conquer Generals Zero Hour\WorldBuilder.exe"="C:\Program Files\EA Games\Command & Conquer Generals Zero Hour\WorldBuilder.exe:*:Enabled:Command and ConquerTM Generals Zero Hour Worldbuilder"
"C:\Program Files\Electronic Arts\Command & Conquer 3\CNC3.exe"="C:\Program Files\Electronic Arts\Command & Conquer 3\CNC3.exe:*:Enabled:Play Command & Conquer 3 Tiberium Wars"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour"
"C:\Program Files\Anno 1701\Anno1701.exe"="C:\Program Files\Anno 1701\Anno1701.exe:*:Enabled:Anno 1701"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\World of Warcraft\Launcher.exe"="C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:World of Warcraft"
"D:\Program Files\AeriaGames\ProjectTorque\ProjectTorque.bin"="D:\Program Files\AeriaGames\ProjectTorque\ProjectTorque.bin:*:Enabled:Project Torque"
"D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe"="D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe"="D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 Warlords"
"D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe"="D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Pitboss"
"D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe"="D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword"
"D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe"="D:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword Pitboss"
"D:\Program Files\Firefly Studios\Stronghold 2\Stronghold2.exe"="D:\Program Files\Firefly Studios\Stronghold 2\Stronghold2.exe:*:Enabled:Stronghold 2"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"\??\C:\WINDOWS\system32\winlogon.exe"="\??\C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd25ffed-fde4-11db-a345-dcc3b496eb9b}]
shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd25ffee-fde4-11db-a345-dcc3b496eb9b}]
shell\AutoRun\command - H:\setupSNK.exe


======File associations======

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

======List of files/folders created in the last 1 months======

2008-11-02 21:45:30 ----D---- C:\rsit
2008-11-02 18:50:30 ----A---- C:\WINDOWS\system32\16.tmp
2008-11-02 18:50:28 ----A---- C:\WINDOWS\system32\14.tmp
2008-11-02 16:40:53 ----D---- C:\Program Files\ImageServer
2008-11-02 16:40:48 ----A---- C:\WINDOWS\pcdlib32.dll
2008-11-02 16:40:47 ----A---- C:\WINDOWS\system32\MSVCRT10.DLL
2008-11-02 16:40:47 ----A---- C:\WINDOWS\CTL3D32.DLL
2008-11-02 16:40:30 ----D---- C:\Program Files\PhotoDeluxe HE 3.0
2008-11-02 16:34:48 ----D---- C:\Documents and Settings\Xiggie\Application Data\Facegame
2008-11-02 15:14:59 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-11-02 15:14:49 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-11-02 15:14:36 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-11-02 15:13:43 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-11-02 15:12:44 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-11-02 15:07:35 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-11-02 15:07:17 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-11-02 15:06:04 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2008-11-01 16:54:46 ----A---- C:\DBS.TXT
2008-11-01 16:38:21 ----D---- C:\Program Files\Lavasoft
2008-11-01 16:38:21 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-11-01 15:25:43 ----D---- C:\Program Files\Trend Micro
2008-11-01 14:38:43 ----A---- C:\WINDOWS\system32\4.tmp
2008-11-01 14:38:40 ----A---- C:\WINDOWS\system32\2.tmp
2008-11-01 14:37:37 ----A---- C:\WINDOWS\brastk.exe
2008-11-01 14:36:16 ----A---- C:\WINDOWS\system32\delself.bat
2008-11-01 14:36:16 ----A---- C:\WINDOWS\system32\brastk.exe
2008-11-01 14:36:15 ----A---- C:\WINDOWS\system32\9.tmp
2008-11-01 14:36:11 ----A---- C:\WINDOWS\system32\7.tmp
2008-11-01 12:16:30 ----D---- C:\Documents and Settings\Xiggie\Application Data\?icrosoft.NET
2008-11-01 11:40:37 ----A---- C:\WINDOWS\system32\wpupsrdr.tmp
2008-10-31 21:43:59 ----D---- C:\Program Files\BoontyGames
2008-10-31 20:52:51 ----D---- C:\Program Files\ReflexiveArcade
2008-10-18 17:58:47 ----A---- C:\WINDOWS\Governor of Poker Uninstall Log.txt

======List of files/folders modified in the last 1 months======

2008-11-02 21:45:26 ----D---- C:\WINDOWS\Prefetch
2008-11-02 21:36:10 ----D---- C:\Program Files\Mozilla Firefox
2008-11-02 21:27:40 ----D---- C:\WINDOWS\Temp
2008-11-02 19:32:06 ----D---- C:\WINDOWS
2008-11-02 18:51:46 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-02 18:50:48 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-02 18:50:34 ----D---- C:\WINDOWS\system32
2008-11-02 16:40:53 ----AD---- C:\Program Files
2008-11-02 15:47:44 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-02 15:15:32 ----SHD---- C:\WINDOWS\Installer
2008-11-02 15:15:03 ----HD---- C:\WINDOWS\inf
2008-11-02 15:15:02 ----D---- C:\WINDOWS\system32\drivers
2008-11-02 15:14:57 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-02 15:14:53 ----A---- C:\WINDOWS\imsins.BAK
2008-11-02 15:14:20 ----D---- C:\Program Files\Internet Explorer
2008-11-02 15:07:39 ----D---- C:\WINDOWS\WinSxS
2008-11-02 15:03:01 ----D---- C:\Program Files\DivX
2008-11-02 12:06:15 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-01 22:10:18 ----RASH---- C:\boot.ini
2008-11-01 22:10:18 ----A---- C:\WINDOWS\win.ini
2008-11-01 22:10:18 ----A---- C:\WINDOWS\system.ini
2008-11-01 16:56:56 ----A---- C:\WINDOWS\ModemLog_Motorola USB Modem.txt
2008-11-01 16:37:20 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-11-01 15:09:59 ----D---- C:\Program Files\Java
2008-11-01 14:55:00 ----D---- C:\Program Files\HijackThis
2008-11-01 12:16:30 ----D---- C:\Program Files\Common Files
2008-11-01 02:18:34 ----D---- C:\WINDOWS\Minidump
2008-11-01 02:12:22 ----A---- C:\WINDOWS\ntbtlog.txt
2008-11-01 00:57:14 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-31 22:37:22 ----SHD---- C:\RECYCLER
2008-10-31 22:19:42 ----A---- C:\WINDOWS\system32\svchost.exe
2008-10-31 21:40:49 ----D---- C:\Documents and Settings\Xiggie\Application Data\uTorrent
2008-10-31 12:30:04 ----D---- C:\Program Files\World of Warcraft
2008-10-25 20:42:03 ----D---- C:\Program Files\Yahoo! Games
2008-10-25 20:41:53 ----D---- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-10-25 20:41:52 ----D---- C:\Documents and Settings\Xiggie\Application Data\PlayFirst
2008-10-25 20:36:12 ----HD---- C:\Program Files\InstallShield Installation Information
2008-10-23 16:30:02 ----D---- C:\Program Files\4PLAY
2008-10-23 16:11:46 ----A---- C:\WINDOWS\system32\SmrtDrive.dll
2008-10-20 15:06:36 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-10-18 18:58:31 ----D---- C:\Program Files\Lx_cats
2008-10-15 11:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll
2008-10-07 12:19:42 ----A---- C:\WINDOWS\system32\MRT.exe
2008-10-04 11:38:36 ----D---- C:\WINDOWS\system32\DirectX
2008-10-03 12:41:15 ----A---- C:\WINDOWS\system32\ieframe.dll
2008-10-03 11:38:14 ----D---- C:\Program Files\EverQuest

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2008-06-16 271360]
R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2008-06-16 18048]
R3 ac97intc;Intel® 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter; C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-04 36224]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys [2008-07-28 116736]
R3 moufiltr;Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\moufiltr.sys [2006-09-06 6784]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-10-22 3994624]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2007-01-25 10368]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbser;Motorola USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2008-04-13 26112]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 ntiomin;ntiomin; C:\WINDOWS\system32\drivers\ntiomin.sys []
S1 SABKUTIL;SABKUTIL; \??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys []
S2 npkcrypt;npkcrypt; \??\d:\Nexon\Mabinogi\npkcrypt.sys []
S2 RUTOMRUR;RUTOMRUR; \??\C:\WINDOWS\system32\drivers\RUTOMRUR.sys []
S3 a6vlan1k;a6vlan1k; C:\WINDOWS\system32\drivers\a6vlan1k.sys []
S3 aaudstum;aaudstum; \??\C:\DOCUME~1\Xiggie\LOCALS~1\Temp\aaudstum.sys []
S3 BCM42RLY;BCM42RLY; \??\C:\WINDOWS\System32\BCM42RLY.SYS []
S3 BLKWGU(Belkin);Belkin Wireless G USB Network Adapter(Belkin); C:\WINDOWS\system32\DRIVERS\BLKWGU.sys [2005-11-10 402944]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 DM9102;DAVICOM 9102(A) PCI Fast Ethernet Based NT Driver; C:\WINDOWS\System32\DRIVERS\DM9PCI5.SYS [2001-08-17 29696]
S3 ltmodem5;LT Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2004-08-04 606684]
S3 LVcKap;Logitech AEC Driver; C:\WINDOWS\system32\DRIVERS\LVcKap.sys [2007-07-20 2109592]
S3 LVMVDrv;Logitech Machine Vision Engine Loader; C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys [2007-07-20 2142488]
S3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys [2007-07-18 25624]
S3 LVUSBSta;Logitech USB Monitor Filter; C:\WINDOWS\system32\drivers\LVUSBSta.sys [2007-07-18 41752]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 npkcusb;npkcusb; \??\d:\Nexon\Mabinogi\npkcusb.sys []
S3 NVR0Dev;NVR0Dev; \??\C:\WINDOWS\nvoclock.sys []
S3 pepifilter;Volume Adapter; C:\WINDOWS\system32\DRIVERS\lv302af.sys [2007-07-18 13848]
S3 PID_PEPI;Logitech QuickCam IM(PID_PEPI); C:\WINDOWS\system32\DRIVERS\LV302V32.SYS [2007-07-18 1278104]
S3 RT73;Linksys Home Wireless-G USB Adapter Driver; C:\WINDOWS\system32\DRIVERS\rt73.sys [2005-11-03 245504]
S3 SABProcEnum;SABProcEnum; \??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABProcEnum.sys []
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 ZDPSp50;ZDPSp50 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\ZDPSp50.sys [2004-10-25 17664]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\WINDOWS\system32\svchost.exe [2008-10-31 14336]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-20 322120]
R3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2008-10-31 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 49152]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 876544]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-10-31 14336]
S4 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-11-01 611664]
S4 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-08-26 663552]
S4 LVCOMSer;LVCOMSer; C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe [2007-07-20 186904]
S4 LVPrcSrv;Process Monitor; C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2007-07-20 137752]
S4 LVSrvLauncher;LVSrvLauncher; C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe [2007-07-20 141848]
S4 lxcf_device;lxcf_device; C:\WINDOWS\system32\lxcfcoms.exe [2005-07-25 503808]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 135168]
S4 npkcmsvc;npkcmsvc; d:\Nexon\Mabinogi\npkcmsvc.exe []
S4 nTuneService;nTune Service; C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe [2007-09-04 143360]
S4 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-22 172098]
S4 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S4 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 274944]
S4 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 922112]


info.txt logfile of random's system information tool 1.04 2008-11-02 21:45:47

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
1602 A.D.-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\1602 A.D.\Uninst.isu"
4PLAY 5.0-->C:\PROGRA~1\4PLAY\UNWISE.EXE C:\PROGRA~1\4PLAY\INSTALL.LOG
ACDSee Pro-->MsiExec.exe /I{F99F74B4-972B-4B06-B893-6B3B0DB0128B}
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player 11-->C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Aspell English Dictionary-0.50-2-->"C:\Program Files\Aspell\unins001.exe"
Belkin Wireless USB Utility-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A6359CCF-215D-43D9-8366-479D231F2A72}
Build-a-lot 2 Town of the Year-->MsiExec.exe /X{E5314F01-5759-4535-968B-252BFF4740F9}
Bulk Image Downloader v1.35.0.6-->"C:\Program Files\Bulk Image Downloader\unins000.exe"
CDRWIN 6.1-->MsiExec.exe /I{C8310658-4019-4934-A7AC-AD1E35EDD8F5}
Cheat Engine 5.4-->"C:\Program Files\Cheat Engine\unins000.exe"
Debut-->C:\Program Files\NCH Software\Debut\uninst.exe
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EverQuest: Shadows of Luclin-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CDA03B05-0524-11D6-B881-00A0CC58DEE4}\setup.exe"
EverQuest: SOV-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD494BAD-BA13-11D4-8737-00A0CC58DEE4}\setup.exe"
EverQuest-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\EverQuest\Uninst.isu"
Flash Saving Plugin-->"C:\Program Files\UnH Solutions\Flash Saving Plugin\unins000.exe"
FLV Player 2.0, build 24-->C:\Program Files\FLV Player\uninst.exe
GIMP 2.4.7-->"C:\Program Files\GIMP-2.0\setup\unins000.exe"
GNU Aspell 0.50-3-->"C:\Program Files\Aspell\unins000.exe"
GTK+ Runtime 2.12.8 rev a (remove only)-->C:\Program Files\Common Files\GTK\2.0\uninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\sneaky bastard\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Imaging Device Functions 9.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Cameras 9.0-->C:\Program Files\HP\Digital Imaging\{9D352FC3-8DAF-4174-BE50-4DF1064387CF}\setup\hpzscr01.exe -datfile hpiscr06.dat
HP Photosmart Essential 2.01-->C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat
HP Solution Center 9.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update-->MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
Java™ 6 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Kudos (remove only)-->"C:\Program Files\Yahoo! Games\Kudos\Uninstall.exe"
L&H TTS3000 British English-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\LHTTSENG.inf, Uninstall
Lexmark 730 Series-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxcfUNST.EXE -NOLICENSE
LiveUpdate BVRP Software-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe" -l0x9
Logitech QuickCam-->MsiExec.exe /X{364EC092-93CF-4DDC-9D7A-7278452028E0}
Logitech® Camera Driver-->"C:\Program Files\Common Files\LogiShrd\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Magic ISO Maker v5.5 (build 0272)-->C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
MagicDisc 2.7.105-->C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft .NET Framework 3.5-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5-->MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mobile PhoneTools-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F18E8A0F-BE99-4305-96A5-6C0FD9D7D999}\setup.exe" -l0x9
Motorola Handset USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44B3522B-195C-488D-84AC-9526FA99CB73}\Setup.exe"
Mozilla Firefox (3.0.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MVision-->MsiExec.exe /I{35725FBC-A136-4A46-9F29-091759D9BB93}
NCH Toolbox-->C:\Program Files\NCH Swift Sound\ToolBox\uninst.exe
Netscape Navigator (9.0.0.5)-->C:\Program Files\Netscape\Navigator 9\uninstall\helper.exe
NVDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7EC003A3-51E9-4019-BEC0-DF99B0DF5CCF}\setup.exe" -uninstall
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA nTune-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF} /l1033
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Risk-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Risk\Uninst.isu"
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Sid Meier's Civilization 4 - Beyond the Sword-->C:\Program Files\InstallShield Installation Information\{32E4F0D2-C135-475E-A841-1D59A0D22989}\setup.exe -runfromtemp -l0x0009 -removeonly
Sid Meier's Civilization 4 - Warlords-->C:\Program Files\InstallShield Installation Information\{3E4B349F-10B5-4586-9D99-489A90A8B228}\setup.exe -runfromtemp -l0x0009 -removeonly
Sid Meier's Civilization 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}\setup.exe" -l0x9 -removeonly
Sierra On-Line Games (Remove only)-->C:\SIERRA\SETUP.EXE /U
SimCity 3000-->C:\WINDOWS\IsUninst.exe -fd:\PROGRA~1\Maxis\SIMCIT~1\Uninst.isu
Space Colony-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{42C402C3-F95B-4BA2-BC90-99816AAF8159}\setup.exe" -l0x9
SpeedFan (remove only)-->"C:\Program Files\SpeedFan\uninstall.exe"
Spybot - Search & Destroy 1.5.2.20-->"C:\WINDOWS\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122-->"C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Rights Management Client Backwards Compatibility SP2-->MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2-->MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
World of Warcraft-->C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

======Hosts File======

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\Perl\bin\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0204
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_06\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_06\lib\ext\QTJava.zip

-----------------EOF-----------------

#4 Xiggie

Xiggie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 02 November 2008 - 10:17 PM

Also, I noticed new files on my computer. I double click on my computer and view on classic view and it shows the local drives and my other drives and all that, but it also shows an icon titled Web Folders, and another titled My Digital Camera. Double clicking on web folders gives me an icon titled My Web Sites on MSN. Double clicking on that wants me to enter my password for Windows Live ID, (already has my username on it) and of course I did not. Double clicking on My Digital Camera gives me absolutely nothing. The icon for MDC is the same thing if windows does not know what kind of program it is. Right clicking on either one gives me the same options as when I click on my sharing folders, (Open, Explore, scan using spybot... and create shortcut). I am mentioning these because I did not see them before the viruses and I did notice they were there before the windows update so they are not a product of the update.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 PM

Posted 03 November 2008 - 08:03 AM

Hi again.

Thanks for the information :thumbsup:

I need sometime to look over your log and it looks very infected. From now on please refrain from going on the web too much. I probably won't reply back until tomorrow. So check back tomorrow. You have a serious infection and I would suggest not going on the internet too much. Dis-connecting from the internet when you are not using it may be a good idea.

Wtih Regards,
Extremeoby

Edit: Order of words..

Edited by extremeboy, 03 November 2008 - 03:21 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 PM

Posted 04 November 2008 - 04:31 PM

Hi again. Sorry for the delay.

You have alot of infections that we need to deal with.

Posted ImageBackdoor Threat
Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you wish to continue to disinfect please follow the instructions below:

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.
Link 1,Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It
is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Post back with:
-Combofix log
-Fresh RSIT log


Thanks :thumbsup:

With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Xiggie

Xiggie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 04 November 2008 - 06:10 PM

I think the best course of action is for me to reformat and start from scratch. I am not going to bother saving any information from either of my drives as I feel it would possibly be compromised with viruses. I thank you for your help and advice. Since noticing irregularities with my computer I have not signed in my bank at all. When I do log in I have to enter my password every time. Since I have not entered that password and it is different than any other password I have would it be safe to guess that my bank password is safe? I do not have that password saved anywhere on my computer. I use firefox as my primary browser but have used IE on this computer before.

Xiggie

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 PM

Posted 04 November 2008 - 06:29 PM

Hi Xiggie.

If you wish to format, then so be it.

Since I have not entered that password and it is different than any other password I have would it be safe to guess that my bank password is safe? I do not have that password saved anywhere on my computer.

Well, if you never used it, then I would say it is safe. However, the best suggestion would be to format your computer and afterwards you should change you password because I believe you have used it in the past? If you NEVER used it during the time you know where the infection started then it would be safe.

To be on the safe side I would still change it ;)

Good luck on the format :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 Xiggie

Xiggie
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 04 November 2008 - 11:59 PM

Well I formatted and am getting everything back on my computer. And to confirm with you, I had signed into my account on this computer before but not for a while so I am pretty confident I didnt breach my banking security. None the less I am going to change the password anyway simply because it has been the same now for quite a while. Thanks again for your help. It makes me feel a little better to hear you say it was a really tough one because it was the first time I was not able to clear up my own pc.

Xiggie

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 PM

Posted 05 November 2008 - 07:31 AM

Hi Xiggie.

Glad you finished formatting your computer.

None the less I am going to change the password anyway simply because it has been the same now for quite a while.

:thumbsup:

No Problem and glad I was able to help.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users