Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Automatic update disabled/ Vundo.FBW(F-secure)/rapidscan 360


  • This topic is locked This topic is locked
13 replies to this topic

#1 jadams1410

jadams1410

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 13 December 2008 - 03:33 PM

1) Firefox and IExplorer were/are being hijacked

2) ads for fake antivirus popped up (antivirus-rapidscan 360)

3) automatic updates shutdown and can not restart.

4) Symantec Endpoint Protection went down and is now back on but finds nothing

Steps to fix so far:

a) Hijackthis - I should know a lot more than I do to use this

:thumbsup: Eusing Free registry cleaner - again I need to know a lot more than I do before running this (also I made changes at this point - oops)

c) Found Old Timer's post fixing automatic updates problem

http://www.bleepingcomputer.com/forums/t/149498/virtumondedll-infection-and-automatic-updates-disabled-among-other-things/

Downloaded OTScanit.exe, ATF-Cleaner.exe, avenger.exe, spybotsd160.exe, cureit.exe

Ran otScanit.exe and All I could get out of it myself was that I needed to delete

Files to delete:
%SystemRoot%\system32\urqOHXrp.dll
%SystemRoot%\system32\khfFXopP.dll
%SystemRoot%\system32\afzzkh.dll
%SystemRoot%\System32\hgGyxULE.dll
%SystemRoot%\System32\npffytcw.ini
%SystemRoot%\System32\odeqlwst.dll
%SystemRoot%\System32\PpoXFfhk.ini
%SystemRoot%\System32\PpoXFfhk.ini2
%SystemRoot%\System32\wctyffpn.dll


So I used avenger.exe

Then I ran f-secure online virus scan. It came back with 3 trackers and 1 virus (Vundo.FBW)

I have disconnected the computer from the internet. I am using a laptop to get files and a thumb drive to interact with the infected computer.

Below are the two files from RSIT: first the info.txt

info.txt logfile of random's system information tool 1.04 2008-12-13 12:21:12

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\NuNInst.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 6.0 Sprint-->MsiExec.exe /I{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Acronis True Image Home-->MsiExec.exe /X{633A06C3-B709-479A-AAB3-5EE94AD9EE4B}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Amazon MP3 Downloader 1.0.3-->C:\Program Files\Amazon\MP3 Downloader\Uninstall.exe
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ArcSoft PhotoImpression 6-->C:\Program Files\InstallShield Installation Information\{D03E7B00-CA85-4684-9321-1888873C34BD}\SETUP.EXE -runfromtemp -l0x0009 -removeonly
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
Cakewalk Home Studio 9-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Cakewalk\Cakewalk Home Studio 9\Uninst.isu"
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Dynamic Energy Saver 1.0 B8.0128.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5869CE1E-BC0B-4648-B1AE-6EF4A985590C}\setup.exe" -l0x9 -removeonly
EasyTune5Pro-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Gigabyte\ET5Pro\Uninst.isu" -c"C:\Program Files\Gigabyte\ET5Pro\uninstdrv.dll"
ETC B07.1219.01-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C6105B4-2A33-4ADB-89A0-F423D562F3B9}\setup.exe" -l0x9 -removeonly
Eusing Free Registry Cleaner-->C:\PROGRA~1\EUSING~1\UNWISE.EXE C:\PROGRA~1\EUSING~1\INSTALL.LOG
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
InfraRecorder-->C:\Program Files\InfraRecorder\uninstall.exe
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
Java™ 6 Update 10-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LiveUpdate 3.3 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Maple 9-->"C:\Program Files\Maple 9\Uninstall\Uninstall Maple 9.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual Studio 6.0 Professional Edition-->"C:\Program Files\Microsoft Visual Studio\Common\Setup\1033\Setup.exe"
Microsoft VM for Java-->RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall
Microsoft Web Publishing Wizard 1.53-->RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie3x86.inf,WebPostUninstall
Motorola Driver Installation 3.5.0-->MsiExec.exe /I{D2BD3C8F-9D7F-472B-BDF9-7309A5CB813A}
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.18)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
Nero 8-->MsiExec.exe /X{BE282C23-5484-47FF-B2C1-EBEA5C891033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
OpenOffice.org 3.0-->MsiExec.exe /I{F44DA61E-720D-4E79-871F-F6E628B33242}
PC Image Editor-->C:\WINDOWS\PC Image Editor Uninstaller.exe
Picture Resize Genius 2.9.2-->"C:\Program Files\Picture Resize Genius\unins000.exe"
Pinnacle Express-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2158698-9937-4546-85A9-1064E82350F7}\Setup.exe" -l0x9 UNINSTALLUNINSTALL
Pinnacle Instant DVD Recorder-->MsiExec.exe /X{C1212AE3-DBB9-4365-8473-F8ABC7B06BBB}
Pinnacle Studio 12-->MsiExec.exe /I{D041EB9E-890A-4098-8F94-51DA194AC72A}
Pinnacle Studio AV/DV-->C:\PROGRA~1\Pinnacle\STUDIO~3\UNWISE.EXE C:\PROGRA~1\Pinnacle\STUDIO~3\INSTALL.LOG
Pinnacle Studio LINX-->C:\PROGRA~1\Pinnacle\STUDIO~2\UNWISE.EXE C:\PROGRA~1\Pinnacle\STUDIO~2\INSTALL.LOG
Pinnacle TVCenter Pro-->"C:\Program Files\InstallShield Installation Information\{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}\Setup.exe"UNINSTALL /l0x0409 -removeonly
Pinnacle Video Driver-->MsiExec.exe /X{5EB90C06-964F-4195-B83E-BD7E55C88415}
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
REALTEK GbE & FE Ethernet PCI-E NIC Driver-->C:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\SETUP.EXE -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
SafeCast Shared Components-->C:\WINDOWS\CDAC13BA.EXE /uninstall
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
SiSoftware Sandra Lite 2009-->"C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Studio-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Pinnacle\Studio 7\Studio7.isu" -cC:\WINDOWS\Studio7.dll
Style Enhancer Micro 1.28-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\NTONYX\SEM128\se128.isu"
Symantec Endpoint Protection-->MsiExec.exe /I{BB0500E8-A6D5-4D66-A4F9-1457530E5B6F}
SYSTEM_INFO B07.1219.01-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CC4914EF-6618-4949-A1CF-BD4917A00221}\setup.exe" -l0x9 -removeonly
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Visioneer 3100 USB Scanner Driver-->C:\WINDOWS\twain_32\paprport\3100bUSB\UNWISE.EXE C:\WINDOWS\twain_32\paprport\3100bUSB\INSTALL.LOG
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Security center information======

AV: Symantec Endpoint Protection

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Pinnacle\Shared Files\;C:\Program Files\Pinnacle\Shared Files\Filter\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=1707
"NUMBER_OF_PROCESSORS"=4
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SAN_DIR"=C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------
Then the log.txt:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Owner at 2008-12-13 12:20:54
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 237 GB (58%) free of 410 GB
Total RAM: 2046 MB (66% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:08 PM, on 12/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Prime95_V25\prime95.exe
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\Program Files\Nero\Nero8\InCD\NBHGui.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Nero\Nero8\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\GIGABYTE\GEST\GSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {0B325C42-CA50-4E6F-9D06-57FB1295DDF7} - C:\WINDOWS\system32\khfFXopP.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {e8eff23b-b816-be79-ccf4-e5e1cde18376} - {67381edc-1e5e-4fcc-97eb-618bb32ffe8e} - C:\WINDOWS\system32\afzzkh.dll (file missing)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\urqOHXrp.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\RUN.exe
O4 - HKLM\..\Run: [EasyTuneVPro] C:\Program Files\Gigabyte\ET5Pro\ETcall.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero8\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero8\InCD\InCD.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [145c109d] rundll32.exe "C:\WINDOWS\system32\wctyffpn.dll",b
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Owner\My Documents\CellPhoneDir\P2kCommander-V4.9.C\P2kAutostart.exe
O4 - HKCU\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\\Programs\Remote\Remoterm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: urqOHXrp - urqOHXrp.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Prime95 Service - Unknown owner - C:\Program Files\Prime95_V25\prime95.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 7922 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0B325C42-CA50-4E6F-9D06-57FB1295DDF7}]
C:\WINDOWS\system32\khfFXopP.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67381edc-1e5e-4fcc-97eb-618bb32ffe8e}]
C:\WINDOWS\system32\afzzkh.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
C:\WINDOWS\system32\urqOHXrp.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-11-28 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-11-28 34816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-12-04 8523776]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2007-12-04 81920]
"GEST"=C:\Program Files\GIGABYTE\GEST\RUN.exe [2007-12-14 236040]
"EasyTuneVPro"=C:\Program Files\Gigabyte\ET5Pro\ETcall.exe [2007-07-26 20480]
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2008-02-28 570664]
"SecurDisc"=C:\Program Files\Nero\Nero8\InCD\NBHGui.exe [2008-02-28 2049320]
"InCD"=C:\Program Files\Nero\Nero8\InCD\InCD.exe [2008-02-28 1083176]
"NBKeyScan"=C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [2008-02-18 2221352]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2008-09-25 115560]
"TrueImageMonitor.exe"=C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2008-04-09 2595792]
"AcronisTimounterMonitor"=C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [2008-04-09 909208]
"Acronis Scheduler2 Service"=C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [2008-04-09 136472]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-28 136600]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"145c109d"=C:\WINDOWS\system32\wctyffpn.dll []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"P2kAutostart"=C:\Documents and Settings\Owner\My Documents\CellPhoneDir\P2kCommander-V4.9.C\P2kAutostart.exe [2007-01-25 24576]
"PMCRemote"=C:\Program Files\Pinnacle\Shared Files\\Programs\Remote\Remoterm.exe [2008-05-09 267536]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqOHXrp]
urqOHXrp.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=C:\WINDOWS\system32\urqOHXrp.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
relog_ap
C:\WINDOWS\system32\khfFXopP

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ccEvtMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ccSetMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SmcService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Symantec Antivirus]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Symantec Antvirus]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe"="C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe:*:Enabled:SiSoftware Deployment Agent Service"
"C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\WNt500x86\RpcSandraSrv.exe"="C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\WNt500x86\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service"
"C:\Program Files\Nero\Nero8\Nero Home\NeroHome.exe"="C:\Program Files\Nero\Nero8\Nero Home\NeroHome.exe:*:Disabled:Nero Home"
"C:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe"="C:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe:*:Enabled:Nero ShowTime"
"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe"="C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service"
"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE"="C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service"
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Disabled:Microsoft Management Console"
"C:\Program Files\Pinnacle\Studio 12\Programs\RM.exe"="C:\Program Files\Pinnacle\Studio 12\Programs\RM.exe:*:Enabled:Render Manager"
"C:\Program Files\Pinnacle\Studio 12\Programs\Studio.exe"="C:\Program Files\Pinnacle\Studio 12\Programs\Studio.exe:*:Enabled:Studio"
"C:\Program Files\Pinnacle\Studio 12\Programs\umi.exe"="C:\Program Files\Pinnacle\Studio 12\Programs\umi.exe:*:Enabled:umi"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2008-12-13 12:20:55 ----D---- C:\Program Files\trend micro
2008-12-13 12:20:54 ----D---- C:\rsit
2008-12-13 12:15:41 ----D---- C:\Avenger
2008-12-13 12:15:41 ----A---- C:\avenger.txt
2008-12-13 09:14:12 ----D---- C:\fsaua.data
2008-12-13 01:33:33 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-13 01:33:33 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-12 11:32:29 ----A---- C:\WINDOWS\system32\1f7fd4e3-.txt
2008-12-12 10:35:25 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-12 10:35:16 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2008-12-12 10:33:55 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-12 10:33:39 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2008-12-12 10:33:26 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-12 10:33:22 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-12 10:33:12 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2008-12-12 10:33:02 ----HDC---- C:\WINDOWS\$NtUninstallKB936782_WMP11$
2008-12-11 16:45:30 ----D---- C:\Documents and Settings\Owner\Application Data\Ahead
2008-12-10 22:59:09 ----N---- C:\WINDOWS\system32\spmsg.dll
2008-12-10 22:59:08 ----HDC---- C:\WINDOWS\$NtUninstallMSCompPackV1$
2008-12-10 22:58:38 ----A---- C:\WINDOWS\system32\wmpns.dll
2008-12-10 22:58:33 ----D---- C:\Program Files\Windows Media Connect 2
2008-12-10 22:58:23 ----HDC---- C:\WINDOWS\$NtUninstallwmp11$
2008-12-10 22:57:51 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2008-12-10 22:57:11 ----D---- C:\WINDOWS\system32\LogFiles
2008-12-10 22:57:06 ----HDC---- C:\WINDOWS\$NtUninstallWudf01000$
2008-12-10 22:06:22 ----A---- C:\WINDOWS\cdplayer.ini
2008-12-10 22:05:49 ----D---- C:\Program Files\Common Files\xing shared
2008-12-10 22:05:30 ----D---- C:\Documents and Settings\Owner\Application Data\Real
2008-12-10 19:56:13 ----D---- C:\Program Files\Any Sound Recorder
2008-12-10 12:48:23 ----D---- C:\Documents and Settings\Owner\Application Data\Leadertech
2008-12-10 12:46:32 ----D---- C:\Documents and Settings\Owner\Application Data\ArcSoft
2008-12-10 12:46:30 ----D---- C:\Program Files\Common Files\ArcSoft
2008-12-10 12:46:30 ----A---- C:\WINDOWS\system32\unicows.dll
2008-12-10 12:46:30 ----A---- C:\WINDOWS\PCDLIB32.DLL
2008-12-10 12:46:20 ----D---- C:\WINDOWS\system32\PhotoImpression Slideshow
2008-12-10 12:46:20 ----D---- C:\Program Files\ArcSoft
2008-12-10 12:45:24 ----A---- C:\WINDOWS\PERFV200P.ini
2008-12-10 12:01:06 ----D---- C:\Documents and Settings\Owner\Application Data\DivX
2008-12-10 11:38:51 ----A---- C:\Documents and Settings\All Users\Application Data\__wdump.txt
2008-12-10 11:29:39 ----D---- C:\Program Files\Common Files\Pinnacle
2008-12-10 11:29:13 ----D---- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio Ultimate
2008-12-10 11:26:19 ----D---- C:\Program Files\Common Files\Pegasus Imaging
2008-12-10 11:26:14 ----D---- C:\Program Files\Common Files\Yahoo!
2008-12-10 11:26:14 ----D---- C:\Documents and Settings\All Users\Application Data\Studio 12
2008-12-10 11:26:14 ----D---- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio Plus
2008-12-10 09:32:55 ----D---- C:\Program Files\DivX
2008-12-10 09:31:22 ----N---- C:\WINDOWS\system32\msvcr71d.dll
2008-12-10 09:31:22 ----N---- C:\WINDOWS\system32\msvcr70d.dll
2008-12-10 09:31:22 ----N---- C:\WINDOWS\system32\msvcp71d.dll
2008-12-10 09:31:21 ----N---- C:\WINDOWS\system32\msvcp70d.dll
2008-12-10 09:31:21 ----N---- C:\WINDOWS\system32\mfc71d.dll
2008-12-10 09:31:21 ----N---- C:\WINDOWS\system32\HHActiveX.dll
2008-12-10 09:31:21 ----N---- C:\WINDOWS\system32\DivXEncSettings.txt
2008-12-10 09:30:59 ----N---- C:\WINDOWS\system32\msvcr80.dll
2008-12-10 09:30:59 ----N---- C:\WINDOWS\system32\msvcp80.dll
2008-12-10 09:30:59 ----N---- C:\WINDOWS\system32\MSVCP70.DLL
2008-12-10 09:30:59 ----N---- C:\WINDOWS\system32\MFC71u.dll
2008-12-10 09:27:14 ----D---- C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-12-10 09:13:55 ----RA---- C:\WINDOWS\system32\SimCoInstDev2.dll
2008-12-10 09:13:49 ----A---- C:\WINDOWS\system32\PsisDecd.dll
2008-12-10 09:13:48 ----A---- C:\WINDOWS\system32\vfwwdm32.dll
2008-12-09 17:40:58 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-12-07 20:04:24 ----A---- C:\WINDOWS\Studio7.ini
2008-12-07 20:04:24 ----A---- C:\WINDOWS\Studio7.dll
2008-12-07 20:01:17 ----A---- C:\WINDOWS\system32\pclepim1.dll
2008-12-07 20:01:17 ----A---- C:\WINDOWS\system32\miroDVun.dll
2008-12-07 20:01:17 ----A---- C:\WINDOWS\system32\miroDV2bmp.dll
2008-12-07 20:01:16 ----A---- C:\WINDOWS\system32\miroDV2avi.dll
2008-12-07 19:43:49 ----A---- C:\WINDOWS\system32\gear81sd.DLL
2008-12-07 18:47:35 ----D---- C:\WINDOWS\Minidump
2008-11-30 17:03:55 ----D---- C:\Documents and Settings\Owner\Application Data\Acronis
2008-11-29 22:04:09 ----D---- C:\WINDOWS\avdv.drv
2008-11-29 22:03:07 ----A---- C:\WINDOWS\RSETPATH.exe
2008-11-29 22:01:00 ----D---- C:\Program Files\directx
2008-11-29 21:56:36 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2008-11-29 21:56:35 ----D---- C:\Program Files\Real
2008-11-29 21:56:35 ----A---- C:\WINDOWS\system32\pndx5032.dll
2008-11-29 21:56:35 ----A---- C:\WINDOWS\system32\pndx5016.dll
2008-11-29 21:56:35 ----A---- C:\WINDOWS\system32\pncrt.dll
2008-11-29 21:56:34 ----D---- C:\Program Files\Common Files\Real
2008-11-29 21:55:23 ----N---- C:\WINDOWS\system32\MASE32.DLL
2008-11-29 21:55:23 ----N---- C:\WINDOWS\system32\MASD32.DLL
2008-11-29 21:55:23 ----N---- C:\WINDOWS\system32\MAMC32.DLL
2008-11-29 21:55:23 ----A---- C:\WINDOWS\system32\PCLEGetGuid.dll
2008-11-29 21:55:23 ----A---- C:\WINDOWS\system32\Mamc32d.dll
2008-11-29 21:55:22 ----N---- C:\WINDOWS\system32\MACD32.DLL
2008-11-29 21:55:22 ----N---- C:\WINDOWS\system32\MA32.DLL
2008-11-29 21:55:08 ----A---- C:\WINDOWS\system32\vdrmux.dll
2008-11-29 21:55:08 ----A---- C:\WINDOWS\system32\vdrcodec.dll
2008-11-29 21:55:08 ----A---- C:\WINDOWS\system32\MLPagAx.dll
2008-11-29 21:55:08 ----A---- C:\WINDOWS\system32\langserv.dll
2008-11-29 21:55:08 ----A---- C:\WINDOWS\system32\Cachex.dll
2008-11-29 21:55:08 ----A---- C:\WINDOWS\system32\Aviprax.dll
2008-11-29 21:55:07 ----A---- C:\WINDOWS\system32\RALMain.dll
2008-11-29 21:55:07 ----A---- C:\WINDOWS\system32\MMAviAx.dll
2008-11-29 21:55:07 ----A---- C:\WINDOWS\system32\DiskIO.dll
2008-11-29 21:52:40 ----D---- C:\Program Files\Pinnacle
2008-11-28 15:23:20 ----D---- C:\Program Files\iPod
2008-11-28 15:23:17 ----D---- C:\Program Files\iTunes
2008-11-28 15:23:17 ----D---- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-28 15:22:23 ----D---- C:\Program Files\Bonjour
2008-11-28 15:21:47 ----D---- C:\Program Files\QuickTime
2008-11-28 14:42:53 ----D---- C:\WINDOWS\Sun
2008-11-28 09:42:07 ----A---- C:\WINDOWS\system32\deploytk.dll

======List of files/folders modified in the last 1 months======

2008-12-13 12:20:55 ----RD---- C:\Program Files
2008-12-13 12:19:27 ----D---- C:\WINDOWS\system32
2008-12-13 12:19:03 ----D---- C:\WINDOWS\Temp
2008-12-13 12:17:30 ----D---- C:\Program Files\Prime95_V25
2008-12-13 12:15:41 ----D---- C:\WINDOWS\system32\drivers
2008-12-13 11:02:55 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-13 11:02:50 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-13 10:58:22 ----D---- C:\Program Files\Mozilla Firefox
2008-12-13 09:16:32 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-13 01:04:18 ----D---- C:\WINDOWS\Prefetch
2008-12-12 15:52:32 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-12 15:48:09 ----D---- C:\WINDOWS
2008-12-12 10:35:27 ----HD---- C:\WINDOWS\inf
2008-12-12 10:35:23 ----A---- C:\WINDOWS\imsins.BAK
2008-12-12 10:35:21 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-12 10:35:15 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-12 10:34:41 ----D---- C:\WINDOWS\system32\CatRoot
2008-12-12 10:26:35 ----A---- C:\WINDOWS\NeroDigital.ini
2008-12-11 17:39:07 ----D---- C:\Program Files\Mozilla Thunderbird
2008-12-10 22:58:38 ----A---- C:\WINDOWS\win.ini
2008-12-10 22:58:33 ----D---- C:\Program Files\Windows Media Player
2008-12-10 22:58:30 ----D---- C:\WINDOWS\Help
2008-12-10 22:05:49 ----D---- C:\Program Files\Common Files
2008-12-10 13:12:49 ----SHD---- C:\WINDOWS\Installer
2008-12-10 13:11:47 ----HD---- C:\Config.msi
2008-12-10 12:46:19 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-10 11:29:49 ----SD---- C:\Documents and Settings\Owner\Application Data\Microsoft
2008-12-10 11:29:44 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-12-10 11:28:24 ----RSD---- C:\WINDOWS\Fonts
2008-12-10 10:03:47 ----RSD---- C:\WINDOWS\assembly
2008-12-10 10:03:47 ----D---- C:\WINDOWS\Microsoft.NET
2008-12-10 09:29:39 ----D---- C:\WINDOWS\WinSxS
2008-12-10 09:29:20 ----D---- C:\Program Files\Internet Explorer
2008-12-10 09:29:15 ----D---- C:\WINDOWS\pchealth
2008-12-09 17:41:21 ----D---- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-12-09 17:39:54 ----D---- C:\Program Files\Adobe
2008-12-09 16:24:37 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-09 13:04:18 ----D---- C:\WINDOWS\Registration
2008-12-09 12:58:23 ----D---- C:\Program Files\Picture Resize Genius
2008-12-07 19:42:41 ----D---- C:\Program Files\Common Files\InstallShield
2008-11-30 23:10:53 ----D---- C:\Documents and Settings\All Users\Application Data\WinZip
2008-11-30 23:08:36 ----D---- C:\WINDOWS\twain_32
2008-11-30 21:32:49 ----A---- C:\WINDOWS\system32\Days5.ini
2008-11-28 15:23:19 ----D---- C:\Program Files\Common Files\Apple
2008-11-28 09:41:56 ----A---- C:\WINDOWS\system32\javaws.exe
2008-11-28 09:41:56 ----A---- C:\WINDOWS\system32\javaw.exe
2008-11-28 09:41:56 ----A---- C:\WINDOWS\system32\java.exe
2008-11-28 09:41:53 ----D---- C:\Program Files\Java

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 InCDPass;Nero InCDPass; C:\WINDOWS\system32\drivers\InCDPass.sys [2008-02-28 38952]
R1 incdrm;Nero InCD MRW Remapper; C:\WINDOWS\system32\drivers\InCDRm.sys [2008-02-28 40360]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 LStone;Pinnacle Systems Studio AV/DV Overlay; C:\WINDOWS\system32\DRIVERS\lstone2k.sys [2002-01-09 238048]
R1 MemAlloc;MemAlloc; C:\WINDOWS\system32\DRIVERS\memalloc.sys [2001-08-28 10016]
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SRTSP;SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [2008-09-25 279088]
R1 SRTSPX;SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [2008-09-25 43696]
R2 CdaC15BA;CdaC15BA; \??\C:\WINDOWS\system32\drivers\CdaC15BA.SYS []
R2 tifsfilter;Acronis True Image FS Filter; C:\WINDOWS\system32\DRIVERS\tifsfilt.sys [2008-10-26 44384]
R3 Afc;PPdus ASPI Shell; C:\WINDOWS\system32\drivers\Afc.sys [2005-02-23 11776]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 ET5Drv;ET5Drv; \??\C:\WINDOWS\system32\Drivers\ET5Drv.sys []
R3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-02-14 4676096]
R3 MarvinBus;Pinnacle Marvin Bus; C:\WINDOWS\system32\DRIVERS\MarvinBus.sys [2005-09-23 171520]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081212.023\NAVENG.SYS []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081212.023\NAVEX15.SYS []
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-12-04 7435392]
R3 OmniTV;Cx2388x AvStream Video Capture; C:\WINDOWS\system32\DRIVERS\OmniTV.sys [2008-04-29 401280]
R3 Pfc;Padus ASPI Shell; \??\C:\WINDOWS\system32\drivers\pfc.sys []
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-01-03 105856]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R4 InCDfs;Nero InCD File System; C:\WINDOWS\system32\drivers\InCDFs.sys [2008-02-28 128424]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 motccgp;Motorola USB Composite Device Driver; C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
S3 motccgpfl;MotCcgpFlService; C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 7680]
S3 MotDev;Motorola Inc. USB Device; C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-10-10 42112]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-06-18 23680]
S3 MPE;BDA MPE Filter; C:\WINDOWS\system32\DRIVERS\MPE.sys [2008-04-14 15232]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 SANDRA;SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\WNt500x86\Sandra.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 SRTSPL;SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [2008-09-25 317616]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [2008-04-09 431384]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-09-25 108392]
R2 InCDsrv;InCD Helper; C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe [2008-02-28 1440552]
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3; C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2008-02-18 877864]
R2 NeroRegInCDSrv;Nero Registry InCD Service; C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [2008-02-28 53032]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-12-04 155716]
R2 PLFlash DeviceIoControl Service;PLFlash DeviceIoControl Service; C:\WINDOWS\system32\IoctlSvc.exe [2006-12-19 81920]
R2 Prime95 Service;Prime95 Service; C:\Program Files\Prime95_V25\prime95.exe [2008-10-05 4558848]
R2 SmcService;Symantec Management Client; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [2008-09-25 2479488]
R2 TryAndDecideService;Acronis Try And Decide Service; C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2008-04-09 492896]
R3 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-09-25 108392]
R3 GEST Service;GEST Service for program management.; C:\Program Files\GIGABYTE\GEST\GSvr.exe [2007-12-14 47624]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
R3 Symantec AntiVirus;Symantec Endpoint Protection; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2008-09-25 2238904]
S1 InCDRec;Nero InCD File System Recognizer; C:\WINDOWS\system32\drivers\InCDRec.sys [2008-02-28 17448]
S2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2007-08-11 3093872]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2008-02-28 529704]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service; C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe [2008-09-08 98488]
S3 SNAC;Symantec Network Access Control; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [2008-09-25 296328]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 C-DillaCdaC11BA;C-DillaCdaC11BA; C:\WINDOWS\system32\drivers\CDAC11BA.EXE [2008-10-11 52736]

-----------------EOF-----------------

The OTScannIt.txt is an attachment. Keep in mind I have already tried to delete some of the .dll and .ini files as stated above.

Any help with this is much appreciated. - jadams1410

Attached Files



BC AdBot (Login to Remove)

 


#2 jadams1410

jadams1410
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 14 December 2008 - 11:04 PM

Ran Malwarebytes' Anti-Malware and am attaching the output file. Looks like that did quite a bit.

The Automatic update for MS is now working. Still not sure if the system is right in the registry.

Would like someone to look at the reg file stuff. I can redo a scan and post another log no problem.

Thanks for the time looking at this. - jadams1410

Attached Files



#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:02 PM

Posted 20 December 2008 - 07:15 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • After it has finished, two logs will open. Please post the contents of both. log.txt will be maximized and info.txt will be minimized.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 jadams1410

jadams1410
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 24 December 2008 - 02:59 AM

Thanks for getting back to me. Here is the log.txt

Logfile of random's system information tool 1.04 (written by random/random)
Run by Owner at 2008-12-24 00:44:04
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 231 GB (56%) free of 410 GB
Total RAM: 2046 MB (49% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:05 AM, on 12/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Nero\Nero8\InCD\NBHGui.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\InCD\InCD.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Prime95_V25\prime95.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\GIGABYTE\GEST\GSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Gigabyte\ET5Pro\GUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Owner\Desktop\VirusHelp\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {0B325C42-CA50-4E6F-9D06-57FB1295DDF7} - C:\WINDOWS\system32\khfFXopP.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\RUN.exe
O4 - HKLM\..\Run: [EasyTuneVPro] C:\Program Files\Gigabyte\ET5Pro\ETcall.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero8\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero8\InCD\InCD.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Owner\My Documents\CellPhoneDir\P2kCommander-V4.9.C\P2kAutostart.exe
O4 - HKCU\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\\Programs\Remote\Remoterm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Prime95 Service - Unknown owner - C:\Program Files\Prime95_V25\prime95.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 7850 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0B325C42-CA50-4E6F-9D06-57FB1295DDF7}]
C:\WINDOWS\system32\khfFXopP.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-11-28 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-11-28 34816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-12-04 8523776]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2007-12-04 81920]
"GEST"=C:\Program Files\GIGABYTE\GEST\RUN.exe [2007-12-14 236040]
"EasyTuneVPro"=C:\Program Files\Gigabyte\ET5Pro\ETcall.exe [2007-07-26 20480]
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2008-02-28 570664]
"SecurDisc"=C:\Program Files\Nero\Nero8\InCD\NBHGui.exe [2008-02-28 2049320]
"InCD"=C:\Program Files\Nero\Nero8\InCD\InCD.exe [2008-02-28 1083176]
"NBKeyScan"=C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [2008-02-18 2221352]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2008-09-25 115560]
"TrueImageMonitor.exe"=C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2008-04-09 2595792]
"AcronisTimounterMonitor"=C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [2008-04-09 909208]
"Acronis Scheduler2 Service"=C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [2008-04-09 136472]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-28 136600]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-12-10 185872]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"P2kAutostart"=C:\Documents and Settings\Owner\My Documents\CellPhoneDir\P2kCommander-V4.9.C\P2kAutostart.exe [2007-01-25 24576]
"PMCRemote"=C:\Program Files\Pinnacle\Shared Files\\Programs\Remote\Remoterm.exe [2008-05-09 267536]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
relog_ap
C:\WINDOWS\system32\khfFXopP

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ccEvtMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ccSetMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SmcService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Symantec Antivirus]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Symantec Antvirus]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FFFFFFFF

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
""=
"NoDriveTypeAutorun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Nero\Nero8\Nero Home\NeroHome.exe"="C:\Program Files\Nero\Nero8\Nero Home\NeroHome.exe:*:Disabled:Nero Home"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Disabled:Microsoft Management Console"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Disabled:iTunes"
"C:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe"="C:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe:*:Disabled:Nero ShowTime"
"C:\WINDOWS\Network Diagnostic\xpnetdiag.exe"="C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Pinnacle\Studio 12\Programs\RM.exe"="C:\Program Files\Pinnacle\Studio 12\Programs\RM.exe:*:Disabled:Render Manager"
"C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe"="C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe:*:Disabled:SiSoftware Deployment Agent Service"
"C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\WNt500x86\RpcSandraSrv.exe"="C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\WNt500x86\RpcSandraSrv.exe:*:Disabled:SiSoftware Sandra Agent Service"
"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe"="C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Disabled:SMC Service"
"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE"="C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Disabled:SNAC Service"
"C:\Program Files\Pinnacle\Studio 12\Programs\Studio.exe"="C:\Program Files\Pinnacle\Studio 12\Programs\Studio.exe:*:Disabled:Studio"
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Disabled:Symantec Email"
"C:\Program Files\Pinnacle\Studio 12\Programs\umi.exe"="C:\Program Files\Pinnacle\Studio 12\Programs\umi.exe:*:Disabled:umi"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2008-12-23 12:55:05 ----D---- C:\Program Files\KeyCarbon Windows Utility
2008-12-22 09:03:58 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-12-22 03:01:06 ----HDC---- C:\WINDOWS\$NtUninstallKB960714$
2008-12-22 03:00:50 ----HDC---- C:\WINDOWS\$NtUninstallKB939683$
2008-12-13 17:18:35 ----RASHD---- C:\autorun.inf
2008-12-13 13:48:55 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-12-13 13:48:51 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-13 13:48:51 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-13 12:20:55 ----D---- C:\Program Files\trend micro
2008-12-13 12:20:54 ----D---- C:\rsit
2008-12-13 12:15:41 ----D---- C:\Avenger
2008-12-13 12:15:41 ----A---- C:\avenger.txt
2008-12-13 09:14:12 ----D---- C:\fsaua.data
2008-12-13 01:33:33 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-13 01:33:33 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-12 10:35:25 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-12 10:35:16 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2008-12-12 10:33:55 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-12 10:33:39 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2008-12-12 10:33:26 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-12 10:33:22 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-12 10:33:12 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2008-12-12 10:33:02 ----HDC---- C:\WINDOWS\$NtUninstallKB936782_WMP11$
2008-12-11 16:45:30 ----D---- C:\Documents and Settings\Owner\Application Data\Ahead
2008-12-10 22:59:09 ----N---- C:\WINDOWS\system32\spmsg.dll
2008-12-10 22:59:08 ----HDC---- C:\WINDOWS\$NtUninstallMSCompPackV1$
2008-12-10 22:58:38 ----A---- C:\WINDOWS\system32\wmpns.dll
2008-12-10 22:58:33 ----D---- C:\Program Files\Windows Media Connect 2
2008-12-10 22:58:23 ----HDC---- C:\WINDOWS\$NtUninstallwmp11$
2008-12-10 22:57:51 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2008-12-10 22:57:11 ----D---- C:\WINDOWS\system32\LogFiles
2008-12-10 22:57:06 ----HDC---- C:\WINDOWS\$NtUninstallWudf01000$
2008-12-10 22:06:22 ----A---- C:\WINDOWS\cdplayer.ini
2008-12-10 22:05:49 ----D---- C:\Program Files\Common Files\xing shared
2008-12-10 22:05:30 ----D---- C:\Documents and Settings\Owner\Application Data\Real
2008-12-10 19:56:13 ----D---- C:\Program Files\Any Sound Recorder
2008-12-10 12:48:23 ----D---- C:\Documents and Settings\Owner\Application Data\Leadertech
2008-12-10 12:46:32 ----D---- C:\Documents and Settings\Owner\Application Data\ArcSoft
2008-12-10 12:46:30 ----D---- C:\Program Files\Common Files\ArcSoft
2008-12-10 12:46:30 ----A---- C:\WINDOWS\system32\unicows.dll
2008-12-10 12:46:30 ----A---- C:\WINDOWS\PCDLIB32.DLL
2008-12-10 12:46:20 ----D---- C:\WINDOWS\system32\PhotoImpression Slideshow
2008-12-10 12:46:20 ----D---- C:\Program Files\ArcSoft
2008-12-10 12:45:24 ----A---- C:\WINDOWS\PERFV200P.ini
2008-12-10 12:01:06 ----D---- C:\Documents and Settings\Owner\Application Data\DivX
2008-12-10 11:38:51 ----A---- C:\Documents and Settings\All Users\Application Data\__wdump.txt
2008-12-10 11:29:39 ----D---- C:\Program Files\Common Files\Pinnacle
2008-12-10 11:29:13 ----D---- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio Ultimate
2008-12-10 11:26:19 ----D---- C:\Program Files\Common Files\Pegasus Imaging
2008-12-10 11:26:14 ----D---- C:\Program Files\Common Files\Yahoo!
2008-12-10 11:26:14 ----D---- C:\Documents and Settings\All Users\Application Data\Studio 12
2008-12-10 11:26:14 ----D---- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio Plus
2008-12-10 09:32:55 ----D---- C:\Program Files\DivX
2008-12-10 09:31:22 ----N---- C:\WINDOWS\system32\msvcr71d.dll
2008-12-10 09:31:22 ----N---- C:\WINDOWS\system32\msvcr70d.dll
2008-12-10 09:31:22 ----N---- C:\WINDOWS\system32\msvcp71d.dll
2008-12-10 09:31:21 ----N---- C:\WINDOWS\system32\msvcp70d.dll
2008-12-10 09:31:21 ----N---- C:\WINDOWS\system32\mfc71d.dll
2008-12-10 09:31:21 ----N---- C:\WINDOWS\system32\HHActiveX.dll
2008-12-10 09:31:21 ----N---- C:\WINDOWS\system32\DivXEncSettings.txt
2008-12-10 09:30:59 ----N---- C:\WINDOWS\system32\msvcr80.dll
2008-12-10 09:30:59 ----N---- C:\WINDOWS\system32\msvcp80.dll
2008-12-10 09:30:59 ----N---- C:\WINDOWS\system32\MSVCP70.DLL
2008-12-10 09:30:59 ----N---- C:\WINDOWS\system32\MFC71u.dll
2008-12-10 09:27:14 ----D---- C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-12-10 09:13:55 ----RA---- C:\WINDOWS\system32\SimCoInstDev2.dll
2008-12-10 09:13:49 ----A---- C:\WINDOWS\system32\PsisDecd.dll
2008-12-10 09:13:48 ----A---- C:\WINDOWS\system32\vfwwdm32.dll
2008-12-09 17:40:58 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-12-07 20:04:24 ----A---- C:\WINDOWS\Studio7.ini
2008-12-07 20:04:24 ----A---- C:\WINDOWS\Studio7.dll
2008-12-07 20:01:17 ----A---- C:\WINDOWS\system32\pclepim1.dll
2008-12-07 20:01:17 ----A---- C:\WINDOWS\system32\miroDVun.dll
2008-12-07 20:01:17 ----A---- C:\WINDOWS\system32\miroDV2bmp.dll
2008-12-07 20:01:16 ----A---- C:\WINDOWS\system32\miroDV2avi.dll
2008-12-07 19:43:49 ----A---- C:\WINDOWS\system32\gear81sd.DLL
2008-12-07 18:47:35 ----D---- C:\WINDOWS\Minidump
2008-11-30 17:03:55 ----D---- C:\Documents and Settings\Owner\Application Data\Acronis
2008-11-29 22:04:09 ----D---- C:\WINDOWS\avdv.drv
2008-11-29 22:03:07 ----A---- C:\WINDOWS\RSETPATH.exe
2008-11-29 22:01:00 ----D---- C:\Program Files\directx
2008-11-29 21:56:36 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2008-11-29 21:56:35 ----D---- C:\Program Files\Real
2008-11-29 21:56:35 ----A---- C:\WINDOWS\system32\pndx5032.dll
2008-11-29 21:56:35 ----A---- C:\WINDOWS\system32\pndx5016.dll
2008-11-29 21:56:35 ----A---- C:\WINDOWS\system32\pncrt.dll
2008-11-29 21:56:34 ----D---- C:\Program Files\Common Files\Real
2008-11-29 21:55:23 ----N---- C:\WINDOWS\system32\MASE32.DLL
2008-11-29 21:55:23 ----N---- C:\WINDOWS\system32\MASD32.DLL
2008-11-29 21:55:23 ----N---- C:\WINDOWS\system32\MAMC32.DLL
2008-11-29 21:55:23 ----A---- C:\WINDOWS\system32\PCLEGetGuid.dll
2008-11-29 21:55:23 ----A---- C:\WINDOWS\system32\Mamc32d.dll
2008-11-29 21:55:22 ----N---- C:\WINDOWS\system32\MACD32.DLL
2008-11-29 21:55:22 ----N---- C:\WINDOWS\system32\MA32.DLL
2008-11-29 21:55:08 ----A---- C:\WINDOWS\system32\vdrmux.dll
2008-11-29 21:55:08 ----A---- C:\WINDOWS\system32\vdrcodec.dll
2008-11-29 21:55:08 ----A---- C:\WINDOWS\system32\MLPagAx.dll
2008-11-29 21:55:08 ----A---- C:\WINDOWS\system32\langserv.dll
2008-11-29 21:55:08 ----A---- C:\WINDOWS\system32\Cachex.dll
2008-11-29 21:55:08 ----A---- C:\WINDOWS\system32\Aviprax.dll
2008-11-29 21:55:07 ----A---- C:\WINDOWS\system32\RALMain.dll
2008-11-29 21:55:07 ----A---- C:\WINDOWS\system32\MMAviAx.dll
2008-11-29 21:55:07 ----A---- C:\WINDOWS\system32\DiskIO.dll
2008-11-29 21:52:40 ----D---- C:\Program Files\Pinnacle
2008-11-28 15:23:20 ----D---- C:\Program Files\iPod
2008-11-28 15:23:17 ----D---- C:\Program Files\iTunes
2008-11-28 15:23:17 ----D---- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-28 15:22:23 ----D---- C:\Program Files\Bonjour
2008-11-28 15:21:47 ----D---- C:\Program Files\QuickTime
2008-11-28 14:42:53 ----D---- C:\WINDOWS\Sun
2008-11-28 09:42:07 ----A---- C:\WINDOWS\system32\deploytk.dll

======List of files/folders modified in the last 1 months======

2008-12-24 00:39:44 ----D---- C:\Program Files\Prime95_V25
2008-12-24 00:27:42 ----D---- C:\WINDOWS\Temp
2008-12-24 00:24:30 ----D---- C:\Program Files\Mozilla Firefox
2008-12-23 23:45:21 ----A---- C:\WINDOWS\NeroDigital.ini
2008-12-23 12:59:25 ----HD---- C:\WINDOWS\inf
2008-12-23 12:55:05 ----RD---- C:\Program Files
2008-12-23 02:02:07 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-22 15:32:22 ----D---- C:\WINDOWS\Prefetch
2008-12-22 12:28:58 ----D---- C:\WINDOWS\system32
2008-12-22 03:13:29 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-22 03:09:36 ----D---- C:\WINDOWS
2008-12-22 03:06:47 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-22 03:01:11 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-22 03:00:59 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-22 03:00:57 ----A---- C:\WINDOWS\imsins.BAK
2008-12-13 13:48:54 ----D---- C:\WINDOWS\system32\drivers
2008-12-13 09:16:32 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-12 10:34:41 ----D---- C:\WINDOWS\system32\CatRoot
2008-12-12 10:01:00 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-11 17:39:07 ----D---- C:\Program Files\Mozilla Thunderbird
2008-12-10 22:58:38 ----A---- C:\WINDOWS\win.ini
2008-12-10 22:58:33 ----D---- C:\Program Files\Windows Media Player
2008-12-10 22:58:30 ----D---- C:\WINDOWS\Help
2008-12-10 22:05:49 ----D---- C:\Program Files\Common Files
2008-12-10 13:12:49 ----SHD---- C:\WINDOWS\Installer
2008-12-10 13:11:47 ----HD---- C:\Config.msi
2008-12-10 12:46:19 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-10 11:29:49 ----SD---- C:\Documents and Settings\Owner\Application Data\Microsoft
2008-12-10 11:29:44 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-12-10 11:28:24 ----RSD---- C:\WINDOWS\Fonts
2008-12-10 10:03:47 ----RSD---- C:\WINDOWS\assembly
2008-12-10 10:03:47 ----D---- C:\WINDOWS\Microsoft.NET
2008-12-10 09:29:39 ----D---- C:\WINDOWS\WinSxS
2008-12-10 09:29:20 ----D---- C:\Program Files\Internet Explorer
2008-12-10 09:29:15 ----D---- C:\WINDOWS\pchealth
2008-12-09 17:41:21 ----D---- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-12-09 17:39:54 ----D---- C:\Program Files\Adobe
2008-12-09 16:24:37 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-09 13:04:18 ----D---- C:\WINDOWS\Registration
2008-12-09 12:58:23 ----D---- C:\Program Files\Picture Resize Genius
2008-12-07 19:42:41 ----D---- C:\Program Files\Common Files\InstallShield
2008-11-30 23:10:53 ----D---- C:\Documents and Settings\All Users\Application Data\WinZip
2008-11-30 23:08:36 ----D---- C:\WINDOWS\twain_32
2008-11-30 21:32:49 ----A---- C:\WINDOWS\system32\Days5.ini
2008-11-28 15:23:19 ----D---- C:\Program Files\Common Files\Apple
2008-11-28 09:41:56 ----A---- C:\WINDOWS\system32\javaws.exe
2008-11-28 09:41:56 ----A---- C:\WINDOWS\system32\javaw.exe
2008-11-28 09:41:56 ----A---- C:\WINDOWS\system32\java.exe
2008-11-28 09:41:53 ----D---- C:\Program Files\Java

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 InCDPass;Nero InCDPass; C:\WINDOWS\system32\drivers\InCDPass.sys [2008-02-28 38952]
R1 incdrm;Nero InCD MRW Remapper; C:\WINDOWS\system32\drivers\InCDRm.sys [2008-02-28 40360]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 LStone;Pinnacle Systems Studio AV/DV Overlay; C:\WINDOWS\system32\DRIVERS\lstone2k.sys [2002-01-09 238048]
R1 MemAlloc;MemAlloc; C:\WINDOWS\system32\DRIVERS\memalloc.sys [2001-08-28 10016]
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SRTSP;SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [2008-09-25 279088]
R1 SRTSPX;SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [2008-09-25 43696]
R2 CdaC15BA;CdaC15BA; \??\C:\WINDOWS\system32\drivers\CdaC15BA.SYS []
R2 tifsfilter;Acronis True Image FS Filter; C:\WINDOWS\system32\DRIVERS\tifsfilt.sys [2008-10-26 44384]
R3 Afc;PPdus ASPI Shell; C:\WINDOWS\system32\drivers\Afc.sys [2005-02-23 11776]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 ET5Drv;ET5Drv; \??\C:\WINDOWS\system32\Drivers\ET5Drv.sys []
R3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 GVTDrv;GVTDrv; \??\C:\WINDOWS\system32\Drivers\GVTDrv.sys []
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-02-14 4676096]
R3 MarkFun_NT;MarkFun_NT; \??\C:\Program Files\Gigabyte\ET5Pro\markfun.w32 []
R3 MarvinBus;Pinnacle Marvin Bus; C:\WINDOWS\system32\DRIVERS\MarvinBus.sys [2005-09-23 171520]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081223.020\NAVENG.SYS []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081223.020\NAVEX15.SYS []
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-12-04 7435392]
R3 OmniTV;Cx2388x AvStream Video Capture; C:\WINDOWS\system32\DRIVERS\OmniTV.sys [2008-04-29 401280]
R3 Pfc;Padus ASPI Shell; \??\C:\WINDOWS\system32\drivers\pfc.sys []
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-01-03 105856]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R4 InCDfs;Nero InCD File System; C:\WINDOWS\system32\drivers\InCDFs.sys [2008-02-28 128424]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 motccgp;Motorola USB Composite Device Driver; C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
S3 motccgpfl;MotCcgpFlService; C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 7680]
S3 MotDev;Motorola Inc. USB Device; C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-10-10 42112]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-06-18 23680]
S3 MPE;BDA MPE Filter; C:\WINDOWS\system32\DRIVERS\MPE.sys [2008-04-14 15232]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 SANDRA;SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\WNt500x86\Sandra.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 SRTSPL;SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [2008-09-25 317616]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [2008-04-09 431384]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-09-25 108392]
R2 InCDsrv;InCD Helper; C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe [2008-02-28 1440552]
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3; C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2008-02-18 877864]
R2 NeroRegInCDSrv;Nero Registry InCD Service; C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [2008-02-28 53032]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-12-04 155716]
R2 PLFlash DeviceIoControl Service;PLFlash DeviceIoControl Service; C:\WINDOWS\system32\IoctlSvc.exe [2006-12-19 81920]
R2 Prime95 Service;Prime95 Service; C:\Program Files\Prime95_V25\prime95.exe [2008-10-05 4558848]
R2 SmcService;Symantec Management Client; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [2008-09-25 2479488]
R2 TryAndDecideService;Acronis Try And Decide Service; C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2008-04-09 492896]
R3 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-09-25 108392]
R3 GEST Service;GEST Service for program management.; C:\Program Files\GIGABYTE\GEST\GSvr.exe [2007-12-14 47624]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2008-02-28 529704]
R3 Symantec AntiVirus;Symantec Endpoint Protection; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2008-09-25 2238904]
S1 InCDRec;Nero InCD File System Recognizer; C:\WINDOWS\system32\drivers\InCDRec.sys [2008-02-28 17448]
S2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2007-08-11 3093872]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service; C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe [2008-09-08 98488]
S3 SNAC;Symantec Network Access Control; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [2008-09-25 296328]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 C-DillaCdaC11BA;C-DillaCdaC11BA; C:\WINDOWS\system32\drivers\CDAC11BA.EXE [2008-10-11 52736]

-----------------EOF-----------------


Now the info.txt

info.txt logfile of random's system information tool 1.04 2008-12-24 00:44:09

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\NuNInst.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 6.0 Sprint-->MsiExec.exe /I{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Acronis True Image Home-->MsiExec.exe /X{633A06C3-B709-479A-AAB3-5EE94AD9EE4B}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Amazon MP3 Downloader 1.0.3-->C:\Program Files\Amazon\MP3 Downloader\Uninstall.exe
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ArcSoft PhotoImpression 6-->C:\Program Files\InstallShield Installation Information\{D03E7B00-CA85-4684-9321-1888873C34BD}\SETUP.EXE -runfromtemp -l0x0009 -removeonly
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
Cakewalk Home Studio 9-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Cakewalk\Cakewalk Home Studio 9\Uninst.isu"
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Dynamic Energy Saver 1.0 B8.0128.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5869CE1E-BC0B-4648-B1AE-6EF4A985590C}\setup.exe" -l0x9 -removeonly
EasyTune5Pro-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Gigabyte\ET5Pro\Uninst.isu" -c"C:\Program Files\Gigabyte\ET5Pro\uninstdrv.dll"
ETC B07.1219.01-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C6105B4-2A33-4ADB-89A0-F423D562F3B9}\setup.exe" -l0x9 -removeonly
Eusing Free Registry Cleaner-->C:\PROGRA~1\EUSING~1\UNWISE.EXE C:\PROGRA~1\EUSING~1\INSTALL.LOG
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
InfraRecorder-->C:\Program Files\InfraRecorder\uninstall.exe
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
Java™ 6 Update 10-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
KeyCarbon Windows Utility v3.1.0-->"C:\Program Files\KeyCarbon Windows Utility\unins000.exe"
LiveUpdate 3.3 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Maple 9-->"C:\Program Files\Maple 9\Uninstall\Uninstall Maple 9.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual Studio 6.0 Professional Edition-->"C:\Program Files\Microsoft Visual Studio\Common\Setup\1033\Setup.exe"
Microsoft VM for Java-->RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall
Microsoft Web Publishing Wizard 1.53-->RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie3x86.inf,WebPostUninstall
Motorola Driver Installation 3.5.0-->MsiExec.exe /I{D2BD3C8F-9D7F-472B-BDF9-7309A5CB813A}
Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.18)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
Nero 8-->MsiExec.exe /X{BE282C23-5484-47FF-B2C1-EBEA5C891033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
OpenOffice.org 3.0-->MsiExec.exe /I{F44DA61E-720D-4E79-871F-F6E628B33242}
PC Image Editor-->C:\WINDOWS\PC Image Editor Uninstaller.exe
Picture Resize Genius 2.9.2-->"C:\Program Files\Picture Resize Genius\unins000.exe"
Pinnacle Express-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2158698-9937-4546-85A9-1064E82350F7}\Setup.exe" -l0x9 UNINSTALLUNINSTALL
Pinnacle Instant DVD Recorder-->MsiExec.exe /X{C1212AE3-DBB9-4365-8473-F8ABC7B06BBB}
Pinnacle Studio 12-->MsiExec.exe /I{D041EB9E-890A-4098-8F94-51DA194AC72A}
Pinnacle Studio AV/DV-->C:\PROGRA~1\Pinnacle\STUDIO~3\UNWISE.EXE C:\PROGRA~1\Pinnacle\STUDIO~3\INSTALL.LOG
Pinnacle Studio LINX-->C:\PROGRA~1\Pinnacle\STUDIO~2\UNWISE.EXE C:\PROGRA~1\Pinnacle\STUDIO~2\INSTALL.LOG
Pinnacle TVCenter Pro-->"C:\Program Files\InstallShield Installation Information\{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}\Setup.exe"UNINSTALL /l0x0409 -removeonly
Pinnacle Video Driver-->MsiExec.exe /X{5EB90C06-964F-4195-B83E-BD7E55C88415}
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
REALTEK GbE & FE Ethernet PCI-E NIC Driver-->C:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\SETUP.EXE -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
SafeCast Shared Components-->C:\WINDOWS\CDAC13BA.EXE /uninstall
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
SiSoftware Sandra Lite 2009-->"C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Studio-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Pinnacle\Studio 7\Studio7.isu" -cC:\WINDOWS\Studio7.dll
Style Enhancer Micro 1.28-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\NTONYX\SEM128\se128.isu"
Symantec Endpoint Protection-->MsiExec.exe /I{BB0500E8-A6D5-4D66-A4F9-1457530E5B6F}
SYSTEM_INFO B07.1219.01-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CC4914EF-6618-4949-A1CF-BD4917A00221}\setup.exe" -l0x9 -removeonly
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Visioneer 3100 USB Scanner Driver-->C:\WINDOWS\twain_32\paprport\3100bUSB\UNWISE.EXE C:\WINDOWS\twain_32\paprport\3100bUSB\INSTALL.LOG
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Security center information======

AV: Symantec Endpoint Protection

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Pinnacle\Shared Files\;C:\Program Files\Pinnacle\Shared Files\Filter\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=1707
"NUMBER_OF_PROCESSORS"=4
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SAN_DIR"=C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

Since you have replied - I will be more aware of our correspondence. Thank you for your time - I will be happy to learn how to clean up my system. - jadams1410

#5 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:02 PM

Posted 24 December 2008 - 08:23 AM

  • Please download
    VundoFix by Atribune to your desktop.
  • Double-click VundoFix.exe to run it.
    You want to run the fix until you see all Vundo files say: "Has been deleted".
  • Click the Scan for Vundo button.
  • When VundoFix opens, click the Scan for Vundo button.
  • After scanning is completed, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • After you click Yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Follow the above instructions starting from Click the "Scan for Vundo button. when VundoFix appears at reboot.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#6 jadams1410

jadams1410
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 24 December 2008 - 12:13 PM

Thanks suebaby41 - I sincerely appreciate your time and help.


Ran VundoFix

The search turned up nothing.

Do you mind if I ask if there was a Vundo flag in my logs (if so what was the flag?) or just the from the virus scan I did above.

I am curious to know what you are thinking and I am wanting to learn - not second guessing.

If I even knew that VundoFix existed, I would have run it immediately. One more trick in my bag.

Ready for what's next.

Thanks - jadams1410

#7 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:02 PM

Posted 24 December 2008 - 03:12 PM

Ran VundoFix

The search turned up nothing.

Do you mind if I ask if there was a Vundo flag in my logs (if so what was the flag?) or just the from the virus scan I did above.

I am curious to know what you are thinking and I am wanting to learn - not second guessing.

If I even knew that VundoFix existed, I would have run it immediately. One more trick in my bag.

Ready for what's next.

The entry below is probably left over from the Vundo infection. I wanted you to run VundoFix to be sure it was gone.

O2 - BHO: (no name) - {0B325C42-CA50-4E6F-9D06-57FB1295DDF7} - C:\WINDOWS\system32\khfFXopP.dll (file missing)

Let's do some more cleaning.

Step 1

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 2

I noticed that you have some programs that need to be updated.

Your Java Runtime Environment is out of date.

Remove the older versions of Java Runtime Environment. Older versions have vulnerabilities that malware can use to infect your system.
  • Close any programs you may have running, ESPECIALLY your web browser
  • Click Start > Control Panel.
  • Click Add/Remove Programs.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove all versions of Java.
  • Reboot your computer after all Java components are removed.
Download the latest version.
  • Click java.com download page.
  • Under

    Java Downloads for All Operating Systems
    Recommended Version 6 Update 11

    scroll down to Windows and click on Windows XP/Vista/2000/2003 Offline.
  • NOTE: This page offers files for different platforms - please be sure to download the proper file(s) for your platform.
  • The File Download dialog box appears. Choose the folder location. (Save the file to a known location on your computer, for example, to your desktop).
  • Click Save.
  • If you have previously downloaded this version of JRE, you may be prompted:

    File jre-6ux-windows-i586.exe already exists. Do you want to replace it?

  • Click Yes to replace.
  • Verify that the:

    Name of the file is jre-6u11-windows-i586.exe
    Size is approximately 13.8 MB

  • Close all applications including the browser.
  • Double-click on the saved file icon to start the installation process.
    The installer unpacks the files needed for the installation, which takes less than a minute. After unpacking the installation files, a welcome screen is displayed, the installer presents an option to view the license agreement. Choose Accept the license agreement to continue the installation process
  • Note: Sun Microsystems has partnered with companies that offer various products. The installer may present you with option to install these programs when you install JRE. Make your selections by clicking on the check box next to programs that interest you.
  • Click on Next to continue the installation.
  • The installer displays a Custom Setup screen that allows you to choose program features to set up. We recommend that you keep the default settings unless you are an advanced user who wants more precise control over the components that will be installed.
  • After ensuring that the desired program features are selected, click the Next button to continue with the installation.
  • To test that the JRE is installed, enabled and working properly on your computer, run this test applet from our web site: verify Java has been installed correctly..

Your "Adobe Reader" is out of date.

You may want to download the latest version, Adobe® Reader® 9.

Step 3

In Normal Mode, run an online malware check from at least two and preferably three (one may catch something that another one may not) of the following sites
BitDefender
Computer Associates Online Virus Scan
Kaspersky Online Virus Scanner
McAfee FreeScan
Panda's ActiveScan
Trend Micro™ HouseCall
Windows Live Safety Center Free Online Scan
WindowSecurity.com TrojanScan
When you have completed the scans, if you get a report of files that cannot be cleaned / deleted, make a note of the file location of anything that cannot be cleaned / deleted. Please edit the log(s) and remove:
  • items listed as "Object is locked skipped"
  • items reported that are in a quarantine folder
Please post the edited list in your next reply.

Step 4
  • Please download Ad-Aware 2008 Free to your desktop. The Ad-Aware 2008 Free installation file will be aaw2008.msi or aaw2008.exe.
  • Double-click the file and follow the on-screen instructions in the Installation Wizard to install.
  • When the Please Enter Your License Information screen appears, click Cancel and Ad-Aware 2008 Free will be installed.
  • When the Ad-Aware 2008 Has Been Successfully Installed Screen appears, click Finish to complete the installation and to launch Ad-Aware 2008 Free.
  • The Status screen will appear. You will see four sections.
    • System Protection Status section where you will see Real Time Protection with a check in the Off dialog box and Automatic Updates with a check in the On dialog box.
    • Update Status section
    • System Scan section
    • License Status section where you will see that the Type: will be Free Edition and License Expires in: Never.
  • In the list on the left of the screen, click Scan. You will be given a choice of Smart Scan, Full Scan, and Custom Scan. (Scheduler on the right of the screen is only available in Ad-Aware 2008 Plus and Ad-Aware Pro.)
  • In the list on the left of the screen, click Settings > Scanning tab. Use the default settings unless you see some changes that you want to make.
  • In the list on the left of the screen, click Status. In the System Scan section, click Scan Now.
  • When the scan finishes, the Critical Objects tab window appears.
  • Under Scan Results, you will see the list of Critical Objects that Ad-Aware 2008 Free found. You are given three choices, Add to ignore, Quarantine, Remove, and System Restore. You may choose to create a System Restore Point prior to removing any objects that you are unsure of removing or after a scan when you know the system is clean. If Critical Objects are found, select all objects found (right click anywhere in the list of found objects and click "Select All Objects").
  • Click Remove.
  • If no Critical Objects are found, click the Privacy Objects tab.
  • If there are Privacy Objects listed, select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Select Add to ignore or Remove..
  • Click Remove.
  • If no Privacy Objects are found, click the Log File tab to see the statistics of the Ad-Aware 2008 Free scan.
  • Click Finish.
  • The next screen shows you the Scan Summary in the left panel and System Restore in the right panel.
    • You may choose to create a System Restore Point prior to removing any objects that you are unsure of removing or after a scan when you know the system is clean. If you choose to create a System Restore Point, click Set.
    • You may want to export the results Click Export and save the log on your computer .
    • Click Scan Again to repeat the scan.
  • You will be returned to the Status screen. Click on the X in the upper right corner to exit Ad-Aware 2008 Free.
Step 5

I recommend using Spyware Blaster.
  • Please download SpywareBlaster and save it to your desktop.
  • Double click on it to install the program.
  • Follow the prompts and choose the default locations when installing the program.
  • When the program is installed, it will place an icon on your desktop.
  • Double click on the SpywareBlaster icon and you will be presented with a brief tutorial. On the first page of this tutorial, you will see some of the SpywareBlaster features
  • Click on the Next button to proceed to the second page of the tutorial.
  • If you want to purchase the software, then you should select Automatic Updating. If you do not plan on purchasing the software, then you should select the option for Manual Updating. Press the Next button.
  • At the next screen, click Finish.
  • At the next screen, Protection Status, click Enable All Protection.
  • Click Download Latest Protection Updates. This will ensure that SpywareBlaster has the latest definitions so that it can protect your browser more efficiently. You should update SpywareBlaster regularly, as much as every few days, in order to provide the best protection. Each time you update, be sure to click Enable All Protection.
Step 6

Malwarebytes' Anti-Malware is FREEWARE, however you may upgrade to the PRO version which contains realtime protection, scheduled scanning and updating.
  • Please download Malwarebytes Anti-Malware (MBAM). Alternate download link
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing scan. If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from the Malware Bytes Web site. Scroll down the page until you see Latest Database; click Download from GT500.org
  • Double-click on mbam-rules.exe to install.
  • On the Scanner tab, make sure the Perform Quick Scan option is selected.
  • Click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and Scan in progress will show at the top. It may take some time to complete; please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully.
  • At the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
  • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Step 7
  • Please download SUPERAntiSpyware (SAS) - SUPERAntiSpyware Free Version For Home Users
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options, make sure the following are checked:
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software, click Scan your computer.
  • On the left, check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information, please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose Copy.
    • Click Close and Close again to exit the program.
  • Please post that information with a new HijackThis log.
Step 8

Note: On Vista, “Windows Temp” is disabled. To empty “Windows Temp”, ATF-Cleaner must be “Run as an Administrator”.
  • If you have not already done so, please download the ATF-Cleaner by Atribune.
  • Double-click ATF-Cleaner.exe to run the program.
  • Check the boxes to the left of:
    • Windows Temp
    • Current User Temp
    • All Users Temp
    • Temporary Internet Files
    • Prefetch (Windows XP) only
    • Java Cache
  • The rest are optional - if you want to remove them all, check Select All.
  • Click the Empty Selected button.
  • When you get the Done Cleaning message, click OK.
  • Follow the same steps for Firefox or Opera. You have the option of checking No if you want to save your passwords.
  • Click Exit on the Main menu to close the program.
Do not run it yet.

Step 9
  • According to your Internet connection, please disconnect from the Internet. Close ALL browser windows (including this one).
    • Physically remove the cable for your broadband Internet service “Always On” Connection from your computer.
    • Turn your modem off.
    • Disconnect your modem cable from your computer.
  • Turn the device off for Hand-held wireless connections.
  • Exit all processes and items in your System tray.
Now we will address the HijackThis fixes.

Step 10

Please run HijackThis and click Scan. Place checks next to the following entries (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {0B325C42-CA50-4E6F-9D06-57FB1295DDF7} - C:\WINDOWS\system32\khfFXopP.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"


Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Step 11

Optional Fixes is the name that we use for fixes for unnecessary programs that load during startup and run in the background. These programs are not required to start automatically as you can start them manually if you need them. You would be removing the program from your startup but you would not be removing the program itself.

Your computer may be sluggish due to the many programs loading during startup and running in the background that are not necessary. Windows has a facility for starting programs at startup time. Some of these programs are required for your computer and the applications installed on it to run correctly. A good example of such a program is a virus-checking application that must always run, constantly checking for and isolating or removing files with viruses. Other such programs are not strictly required, or are optional. In some cases, you can gain significant performance enhancements by disabling the automatic startup of these programs. In many cases, the functionality offered by the programs is still available by starting the programs manually by, for example, starting the program from the Windows Start->Programs menu. Media players and instant messaging programs often fall into this category. In fact, it is common for many modern software applications, when installed, to add programs at startup that add items to the system tray or shortcut (context) menus in Windows Explorer to provide quick access to the features and functions of these applications. While they may be useful, they do increase boot time and consume system resources. It is advised that you disable these programs so that they do not take up necessary resources or slow the boot time.

Other than ScanRegistry, SystemTray, StateMgr, antivirus program entries, and firewall program entries, very few others need to load and run.

Read the articles below to see if it applies to your computer problem with being slow to respond.
Slow_Computer_Check_here_first_it_may_not_be_malware.
Help! My computer is slow!
50 Tips for a Super Fast PC
4 Ways to Speed Up Your Computer's Performance
It's not always malware: How to fix the top 10 Internet Explorer issues

If you decide that you want to stop the Optional Fixes in your startup, let me know and I will give you a list with instructions. You would be removing the program from your startup but you would not be removing the program itself.

Step 12

Let’s run ATF-Cleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

Step 13

Please run HijackThis in Normal Mode and post:
  • the list of file names and locations for any files that cannot be cleaned / deleted that were reported after you completed the online scans.
  • the log from MalwareBytes
  • the log from SUPERAntiSpyware
  • a new HijackThis log
Please advise me of any problems you still have.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#8 jadams1410

jadams1410
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 24 December 2008 - 04:36 PM

I'm on it. Have all the downloads and am now going off line. Will run your processes and save the files to report.

Thank you for such a detailed response. I am sure we can get this computer fixed.

I used to run adAware but stopped because it was more of a malware than it was supposed to stop, has it changed for the better?

jadams1410

#9 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:02 PM

Posted 25 December 2008 - 06:17 PM

Yes. Ad-Aware is a good program to use to scan your program for spyware. Let me know if you have any questions.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#10 jadams1410

jadams1410
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 26 December 2008 - 09:25 PM

On step 7

Continue to find things on the computer with just about every step . Scanned with four of the online scans - took a long time.

I am saving the logs from those that you asked. All other scans are handling the issues they find.

Just posting an update that I'm still working on it. Will be done soon.

Thanks

#11 jadams1410

jadams1410
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 27 December 2008 - 12:13 AM

Ok SueBaby41 - I did my homework I guess. Here is the report.


Scanned with.....


1 - WindowSecurity.com TrojanScan:

cleaned up some files


2 - Panda Scan disenfectble:

00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Owner\Desktop\VirusHelp\Flash_Disinfector.exe[C:\Documents

This file I recently downloaded due to my use of many thumb drives. I wanted to stop spreading anything through them. Is this acceptable or is there a better way to keep the removable drives clean?


3 - BitDefender:

it said all the bad files found were deleted in the end. Disinfection did not work on all but they were deleted eventually.


4 - Kaspersky scan:

Not sure everything it found is cleaned.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 25, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 24, 2008 19:42:43
Records in database: 1510545
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 391750
Threat name: 4
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 06:33:47


File name / Threat name / Threats count
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\7ojwqpni.default\Mail\mail.comcast.net\Folder file.sbd\Spam Infected: Trojan-Spy.HTML.Bankfraud.w 1
E:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600001.VBN Infected: not-a-virus:AdWare.Win32.WebSearch.r 1
E:\Documents and Settings\john\Application Data\Mozilla\Profiles\default\s7u4fx0m.slt\Cache\14FD7AB0d01 Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
E:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\uphtnfqp.slt\Mail\mail.comcast-1.net\Folder file.sbd\Spam Infected: Trojan-Spy.HTML.Bankfraud.w 1
E:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\9o32zhsi.default\Mail\mail.comcast.net\Folder file.sbd\Spam Infected: Trojan-Spy.HTML.Bankfraud.w 1
E:\Documents and Settings\Owner\Local Settings\Temp\NERO14768\Toolbar.exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bm 1
E:\RECYCLER\S-1-5-21-1850456698-3581506895-1790521817-1006\Dc4.zip Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1

EOF

AdAware

Scan mode: Full
Scan time: 01:32:39
Number of objects scanned: 730065
Number of infections found: 4
Critical: 1
Privacy Objects: 3
Infections deleted: 4
Total infections quarantined: 0
Total infections ignored by scanner: 0

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/26/2008 at 07:54 PM

Application Version : 4.23.1006

Core Rules Database Version : 3686
Trace Rules Database Version: 1663

Scan type : Complete Scan
Total Scan Time : 02:52:01

Memory items scanned : 439
Memory threats detected : 0
Registry items scanned : 7626
Registry threats detected : 7
File items scanned : 388110
File threats detected : 4

Rogue.Component/Trace
HKLM\Software\Microsoft\145C0213
HKLM\Software\Microsoft\145C0213#145c0213
HKLM\Software\Microsoft\145C0213#Version
HKLM\Software\Microsoft\145C0213#145caf93
HKLM\Software\Microsoft\145C0213#145cc676
HKU\S-1-5-21-854245398-1606980848-682003330-1003\Software\Microsoft\CS41275
HKU\S-1-5-21-854245398-1606980848-682003330-1003\Software\Microsoft\FIAS4018

Trojan.Unclassified/Loader-Suspicious
C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\DOWNLOADS_\CELLPHONES\P2K_EASY_TOOL_ALL_VERSIONS\P2K EASY TOOL V5.3\LOADER.EXE
E:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\DOWNLOADS_\CELLPHONES\P2K_EASY_TOOL_ALL_VERSIONS\P2K EASY TOOL V5.3\LOADER.EXE

Trojan.WinUp
C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\JOHN DISK\ANGELEYES\SYSTEM FILES\CYGWIN\LIB\PERL5\VENDOR_PERL\5.8\CYGWIN\AUTO\WIN32\WIN32.DLL

Kontiki Download Manager Browser Helper Object
E:\PROGRAM FILES\KONTIKI\BIN\BH309190.DLL


Malwarebytes' Anti-Malware 1.31
Database version: 1497
Windows 5.1.2600 Service Pack 3

12/26/2008 3:37:15 PM
mbam-log-2008-12-26 (15-37-15).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 452409
Time elapsed: 2 hour(s), 48 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
EOF


HijackThis ...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:46 PM, on 12/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\Program Files\Prime95_V25\prime95.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\GIGABYTE\GEST\GSvr.exe
C:\Documents and Settings\Owner\Desktop\VirusHelp\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GEST] C:\Program Files\GIGABYTE\GEST\RUN.exe
O4 - HKLM\..\Run: [EasyTuneVPro] C:\Program Files\Gigabyte\ET5Pro\ETcall.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Owner\My Documents\CellPhoneDir\P2kCommander-V4.9.C\P2kAutostart.exe
O4 - HKCU\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\\Programs\Remote\Remoterm.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Prime95 Service - Unknown owner - C:\Program Files\Prime95_V25\prime95.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 7936 bytes


I keep the IE Home page set to yahoo myself. I made the change you suggested but now you were thinking it was done by malware. Do you have another alternative that is safer and allows for such flexibilty for information. Or perhaps there is no problem with yahoo?



Lastly - I came across MicroSoft's Windows Defender. I can't get it to start the WinDefend service during install. Am told I don't have sufficient rights to start service.

Is this program valuable? If so I would like to run it. If not I would like to fix the fact that I can't.

I think I still have some issues but not sure where.


Is Opera the new Firefox? Meaning, is it safer due to it's smaller user base and therefore less targeted?

Thanks for your help - jadams1410

#12 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:02 PM

Posted 27 December 2008 - 12:13 PM

00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Owner\Desktop\VirusHelp\Flash_Disinfector.exe[C:\Documents

This file I recently downloaded due to my use of many thumb drives. I wanted to stop spreading anything through them. Is this acceptable or is there a better way to keep the removable drives clean?

If this is the one you have, it is a good program.

Flash_Disinfector.exe by sUBs

NirCmd is a small command-line utility that allows you to do some useful tasks without displaying any command prompt user interface. NirCmd.exe is often flagged as suspicious. Freeware programs often use the NirCmd.exe command.

Rogue.Component/Trace
HKLM\Software\Microsoft\145C0213
HKLM\Software\Microsoft\145C0213#145c0213
HKLM\Software\Microsoft\145C0213#Version
HKLM\Software\Microsoft\145C0213#145caf93
HKLM\Software\Microsoft\145C0213#145cc676
HKU\S-1-5-21-854245398-1606980848-682003330-1003\Software\Microsoft\CS41275
HKU\S-1-5-21-854245398-1606980848-682003330-1003\Software\Microsoft\FIAS4018

Trojan.Unclassified/Loader-Suspicious
C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\DOWNLOADS_\CELLPHONES\P2K_EASY_TOOL_ALL_VERSIONS\P2K EASY TOOL V5.3\LOADER.EXE
E:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\DOWNLOADS_\CELLPHONES\P2K_EASY_TOOL_ALL_VERSIONS\P2K EASY TOOL V5.3\LOADER.EXE

Trojan.WinUp
C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\JOHN DISK\ANGELEYES\SYSTEM FILES\CYGWIN\LIB\PERL5\VENDOR_PERL\5.8\CYGWIN\AUTO\WIN32\WIN32.DLL

Kontiki Download Manager Browser Helper Object
E:\PROGRAM FILES\KONTIKI\BIN\BH309190.DLL

If these are programs you use and know that they are safe, you can disregard the "suspicious" tag.

I keep the IE Home page set to yahoo myself. I made the change you suggested but now you were thinking it was done by malware. Do you have another alternative that is safer and allows for such flexibilty for information. Or perhaps there is no problem with yahoo?

No, it is not malware. I sometimes suggest removing some of them since they are not needed. I use Yahoo as my homepage.

Lastly - I came across MicroSoft's Windows Defender. I can't get it to start the WinDefend service during install. Am told I don't have sufficient rights to start service.

Is this program valuable? If so I would like to run it. If not I would like to fix the fact that I can't.


Make sure you have the lastest version of Windows Installer Try to download and install "Windows Defender". Another good program is ThreatFire.

I think I still have some issues but not sure where.

Let me know how your computer is behaving.

Is Opera the new Firefox? Meaning, is it safer due to it's smaller user base and therefore less targeted?

I still recommend and use Firefox. I am not sure that Opera would be any safer but it is your decision as to which browser to use.

Your log looks good. You have some Optional Fixes in your log. If you feel your computer is running slowly, you may want to do those. Let me know.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#13 jadams1410

jadams1410
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 27 December 2008 - 07:49 PM

Thanks suebaby41

Things are better with the computer. It is just as fast as ever I guess. I think I will try Opera.

You were a lot of help. - jadams1410

#14 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:02 PM

Posted 28 December 2008 - 12:09 PM

Tips To Protect Your Computer
  • Avoid clicking on links in instant messages.
  • Avoid opening email attachments.
  • Avoid visiting every poker site on the net.
  • Avoid downloading all that free cute junk.
  • Avoid using the peer-to-peer file sharing.
  • Avoid getting those handy toolbar doodads for your browsers.
  • Malware is out there just waiting to pounce on your system if you only pass by where they are lurking which may be at some seemingly innocent web site. Be careful because some of the malware are so vicious that no one can possibly save you once you let them in.
  • Remember that new malware emerges every week of the year. Take responsibility for protecting your system because you are its first and best defense.
Tools Downloaded To Clean Your Computer

I asked you to install some tools. Whether or not you need to keep these programs must be decided by you. If you choose to uninstall them, follow these directions:
  • Click Start > Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight the program, click Remove.
  • Close the Add or Remove Programs and the Control Panel windows.
Optional Tools:
  • Ad-Aware 2007/2008 scans, detects, and removes spyware on your computer.
  • ATF-Cleaner cleans all user temp folders, Java cache, (which seems to be harboring more and more malware), the cache, cookies, history, download history, visited links and saved passwords. Scan weekly if you have high Internet use.
  • Trend Micro's HijackThis or random's System Information Tool (RSIT) may be uninstalled; however, if you should ever encounter another problem and seek help in this forum or others like it, you will need to download this application.
If you have changed the default settings for files/folders, please restore the default settings for files/folders.
  • Go to My Computer.
  • Select the Tools menu and click Folder Options.
  • Click the View tab.
  • Under Advanced Settings, click the Restore Defaults button in the lower right corner.
  • Click Apply and then the OK and close My Computer.
Please take the time to read the "Steps To Keep Your Computer Clean And Secure" below.

STEPS TO KEEP YOUR COMPUTER CLEAN AND SECURE:

Please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. After cleaning, you will need to disable the System Restore function For Windows XP.
    Files placed in the System volume information folder are source files for the System Restore function that is available in Windows XP operating system. Files that were healed were moved in their original INFECTED state into this folder and it is necessary to DELETE them by following these steps:
    • Close all open programs. Then right-click My Computer on the Windows' desktop
    • Click on Properties.
    • Click on the System Restore tab.
    • Check Turn off System Restore on all drives.
    • Restart the system.
    • Enable System Restore by going through the first four steps again and uncheck the item mentioned in Step d.
    • You can find instructions on how to disable and enable system restore in the Windows XP System Restore Guide.
  • Make your Internet Explorer more secure: This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it asks you if you want to save the settings, press the Yes button.
    • Click Apply > OK button and then the OK to exit the Internet Properties page.
  • Use a Firewall: - I cannot stress how important it is that you use a Firewall on your computer.  Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls. For more information about firewalls, and why a two-way firewall is better than the Windows XP one-way firewall, please read Understanding and Using Firewalls.
  • Use An Antivirus Software and Keep It Updated: - It is very important that your computer has an antivirus software running on your machine.  This alone can save you a lot of trouble with malware in the future.  It is imperative that you update your antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out. For an article on antivirus programs and a listing of some available ones see the link below:
    Computer Safety On line - Anti-Virus
  • Visit Microsoft's Windows Update Site Frequently: It is important that you visit Microsoft Windows Update regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • You should scan your computer with Spybot S&D on a regular basis just as you would an anti- virus software. A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware from Your Computer
  • You should scan your computer with Ad-Aware 2007/2008 as well as Spybot S&D and your anti-virus program on a regular basis. A tutorial on installing & using this product can be found here:
    Ad-Aware 2007/2008.
  • Update SpywareBlaster (at least weekly): SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firec settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line Anti Malware
  • Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    • Click the start button on the task bar at the bottom of your screen
    • Click run
    • In the dialog box, type services.msc
    • hit enter, then locate dns client
    • Highlight it, then doubleclick it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK.
  • Use an alternative instant messenger program:.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Please read Tony Klein's excellent article: How I got Infected in the First Place
  • Please read Understanding Spyware, Browser Hijackers, and Dialers
  • Please read Simple and easy ways to keep your computer safe and secure on the Internet.
  • If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built in popup blocker (as an added benefit!) that I have ever seen.
    Another good browser is Opera . Opera 9 comes loaded with the tools to keep you productive and safe. Try it today, it's absolutely free. Some of the Opera features are: Customization, BitTorrent, Content blocker, Add your favorite search engines, Thumbnail preview of tabs, Widgets, Transfer manager, Tabbed browsing, Password manager, Sessions (You can save a collection of open tabs as a session, for later retrieval, or start with the pages you had open when Opera was last closed.), Keyboard Shortcuts, Cookie control, a multitude of languages, Validate code, Toggle graphics and style sheets, and Special features such as Full-screen mode, Kiosk mode.
  • Update all these programs regularly: Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  • If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.
Follow these steps and your potential for being infected again will reduce dramatically.
Good luck!


Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users